Key  Ques 


You  Ate  Here 

|iifvive  tHe  cyber/ 
^  location  nexus 

PAGE  30 


Dear  CISO- 
Wannabe 

Here’s  why  you 
didn’t  get  the  job 

PAGE  36 


irTk  IE  AO  Eft 


Attention  to  detail  makes  all  f 
the  difference  in  parking  lot  [ 
/f  security  and  safety  | 

r\  li  ^  r  ^  ^ 


Bob  Luca,  former 
head  of  security  for 
E-Trade:  “Employees 
want  to  feel  safe  when 
they  go  to  work.” 


www.csoonline.com  $9.00  February  2010, 


Smarter  technology  for  a  Smarter  Planet: 


Service  in  the  age 
of  smart  assets. 


Smart  assets  are  making  it  possible  to  spread  intelligence  far  beyond 
the  four  walls  of  the  datacenter  into  everything  from  power  lines 
to  railroad  lines  to  assembly  lines.  The  challenge  is:  how  do  you 
choreograph  these  two  worlds— the  physical  and  the  digital— to 
provide  the  quality  services  your  customers  expect  and  the  flexibility 
your  business  needs? 

IBM’s  approach  to  service  management  can  help  you  extend  greater 
visibility,  control  and  automation  through  all  of  your  company’s 
services— inside  and  out— so  you  can  easily  modify  existing  services 
or  quickly  add  new  ones,  laying  the  groundwork  for  a  more  dynamic 
infrastructure.  We’re  helping  companies  all  over  the  world— 20  of  the 
20  top  telcos,  1 0  of  the  20  biggest  utilities  and  7  of  the  1 0  largest 
automotive  manufacturers— reach  beyond  the  datacenter  to  deliver 
quality  service  and  respond  quickly  to  the  demands  of  a  smarter  planet. 

A  smarter  business  needs  smarter  software,  systems  and  services. 
Let’s  build  a  smarter  planet,  ibm.com/svcmgmt 


IBM,  the  IBM  logo,  ibm.com,  Smarter  Planet  and  the  planet  icon  are  trademarks  of  International  Business  Machines  Corp.,  registered  in  many  jurisdictions  worldwide.  Other 
product  and  service  names  might  be  trademarks  of  IBM  or  other  companies.  A  current  list  of  IBM  trademarks  is  available  on  the  Web  at  www.ibm.com/legal/copytrade.shtml. 


February  2010  V0L9,  No.  1 


Features... 

26  Lots  of  Concern 

Physical  Security  Security  and 
architecture  have  to  work  hand-in- 
hand  to  keep  parking  areas  safe.  Here 
are  the  fundamentals. 

By  Michael  Fitzgerald 

30  You  Are  Here: 

The  Cyber/Location 
Nexus 

Convergence  What  happens 
when  the  once-unanchored  world  of 
cyberspace  collides  with  geolocation? 
A  look  at  the  effects  on  art,  privacy, 
security  and  more. 

By  Dr.  Christopher  Tucker 


Also  Inside... 


4  From  the  Editor 

6  From  the  Publisher 

8  Join  the  Discussion 

Ivan  Arce  wonders:  What’s 

the  right  way  to  approach 

cyberwarfare  defense. 

13  Briefing 

■  Companies  on  Infosec 
Spending:  Where's  the  ROI? 

■  Security  and  Building 
Design:  What’s  Changed 
in  a  Decade? 

■  TSA  Document  Release 
Shows  Pitfalls  of 
Electronic  Redaction 

■  Chrome  OS  May  Be 
Hacker  Hot  Spot  in  2010 

■  7  Ways  to  Stay  Happy  in 
a  Miserable  Profession 


22  Your 2010 
Antispam  Playbook 

Toolbox  Appliance  or  hosted 
service?  That’s  just  the  first  of 
many  choices  in  your  battle  to 
stop  e-mail  spam.  CSOs  and 
analysts  provide  decision 
support.  ByMaryBrandel 

36  From  the  CIO:  Why 
You  Didn’t  Get  the  CISO  Job 

Undercover  The  previous 
columnist  lamented  the  state 
of  security  hiring.  Here’s  a 
response  from  the  other  side 
of  the  desk.  By  Anonymous 

38  Building  a  Culture 
of  Accountability 
CSOView  Why  risk  identi¬ 
fication  and  management  is 
everyone’s  responsibility. 

By  Kerri  Grosslight 

40  Debriefing 
Quiz  Google 
Versus  Everybody 


CSO  (ISSN  1540-904X)  is  published  monthly  exceptforacombined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path.  P.O.Box  9208,  Framingham,  MA01701-9208.  Periodical  Postage  Rate  at 
Framingham,  MA  01701,  and  atadditional  mailingoffices.  Canadian  Publications  Mail  agreement  numberl902075.  Canadian  Postmaster:  Please  return  undeliverable  copytoP.O.  Boxl632,Windsor,ONN9A7C9.Copyright2010by 
CXO  Media  Inc.  All  rights  reserved.  Reproduction  of  material  appearing  in  CSO  isforbidden  without  written  permission.  Permission  to  photocopyfor  internal  or  personal  useor  the  internal  or  personal  use  of  specific  clients  isgranted 
by  CSOfor  users  through  theCopyright  Clearance  Center,  provided  that  afee  of  $3.50  per  copy  of  the  article  is  paid  directly  to  CopyrightClearanceCenter,222RosewoodDrive,Danvers,MA01970.www.copyr/gh(.com.  Please  specify: 
ISSN  1540-904X.  Permission  to  photocopydoesnot  extendtocontributed  articles-followed  by  this  symbol:  t.  Address  inquiriesto  CSO,  P.O.Box  3482,  Northbrook,  IL60065;  866  354-1125.  CSO  isfreetoqualified  security  executives. 
To  all  others  the  one-year  basic  rate  is  $70for  the  United  Statesand  Canada,  $95  toforeign  countries  (payable  in  U.S.  funds  only).  The  single  copy  price  is  $9  to  the  U.S.  and  Canadaand  $15  International.  Please  allowfourtosix  weeks 
for  new subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO,  P.O.Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


2  www.csooniine.com  February  2010 


Cover  photo  by  Shannon  McIntyre 


[lY 


FORTUNE  500 

COHPANIES  PONT 
CHOOSE  SECURITY 
A  WHIM. 


Over  95  percent  of  the  Fortune  500  choose  VeriSign  SSL  as  their  online  security  of  choice. 

Why?  Because  VeriSign  can  enable  the  strongest  encryption  available  and  has  the  most 
rigorous  authentication  standards.  Or  because  VeriSign®  Extended  Validation  (EV)  SSL  offers  the 
most  visible  site  security  available  by  displaying  the  green  address  bar  in  high-security  browsers, 
which  is  also  the  most  effective  defense  against  phishing  scams.  Add  it  up,  and  it’s  easy  to  see 
why  industry  leaders  choose  VeriSign— the  most  trusted  symbol  of  security  on  the  Web. 


It’s  powerful.  It’s  the  most  visible.  Learn  more  about  protecting 
your  site  and  your  customers  at  VeriSign.com/EVSSLPaper. 


TRUSTS  (25 

2009  VeriSign,  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo,  the  Checkmark  Circle  logo,  the  VeriSign  Secured  logo,  and  other  trademarks,  service 
marks,  and  designs  are  registered  or  unregistered  trademarks  of  VeriSign,  Inc.,  and  its  subsidiaries  in  the  United  States  and  foreign  countries,  All  other 
trademarks  are  property  of  their  respective  owners. 


[  FROM  THE  editor] 


Security  by 
Walking  Around 

It’s  a  new  year. 

Time  for  a  new  perspective? 

Some  security  leaders  see  the  new-year 
transition  as  a  chance  to  get  out  of  the 
office,  get  away  from  budget  spread¬ 
sheets  and  take  a  fresh  look  at  their 
defenses.  As  you  take  a  walk  around  your 
organization’s  points  of  presence,  here  are 
some  questions  to  get  you  thinking. 

Point  of  sale.  Cash,  cards,  inventory  and 
customer  data  all  intersect  at  the  point  of 
sale.  This  is  place  where  physical  and  digital 
safeguards  need  to  be  coordinated.  Are  you 
using  wireless  data  transfer?  Are  you  retaining 
transaction  data  you  don’t  need?  Are  your 
cash-handling  procedures  state-of-the-art? 

Are  employees  aware  of  current  techniques 
used  by  shoplifters  and  organized  retail  crime? 

Call  centers.  You  need  to  protect  both 
employees  and  customers  in  this  setting.  Do 
agents  have  access  to  just  the  right  amount  of 
information  to  be  effective  in  their  jobs?  Can 
the  night  shift  get  safely  to  and  from  their  cars 
or  other  transportation? 

Data  centers.  Do  you  have  necessary 
physical  access  control  systems  in  place?  Can 
you  track  where  employees  or  visitors  are  in 
the  building?  Is  the  facility  reasonably  safe 
from  physical  harm? 

Offsite  data  or  paper  record  storage. 
Think  through  the  journey  that  a  box  of  papers 
or  a  backup  tape  will  take.  Is  it  secure  in  the 
office  prior  to  pickup?  How  are  your  chain-of- 
custody  forms  organized  and  stored?  Is  the 
transportation  method  secured? 

Loading  docks.  Are  safety  regulations 
being  followed,  and  are  they  in  sync  with 
security  measures?  What  security  checks 
should  happen  at  a  distance,  prior  to  delivery 
or  pickup  vehicles  arriving  at  the  building? 

Multitenant  buildings  and  office  parks. 
Who  are  your  neighbors  in  multitenant  set¬ 
tings?  What  risks  might  they  create  for  your 
business?  What  background  checks  or  other 
measures  are  provided  for  cleaning  crews? 

How  does  building  management  account  for 
access  control?  What  is  your  legal  liability  for 
incidents  in  this  setting? 


Headquarters  and  reception.  Is  your 
employee  badging  program  effective?  Do 
people  find  workarounds?  How  are  they  deal¬ 
ing  with  lost  badges  and  access  cards?  Is  the 
program  slowing  down  office  visitors  unneces¬ 
sarily?  What  about  physical  keys-are  you  man¬ 
aging  them  effectively?  (Every  building  has 
some.)  Are  whiteboards  and  printer  baskets 
leaving  proprietary  information  at  risk? 

Parking  lots.  Michael  Fitzgerald  digs  into 
this  fascinating  topic  in  our  cover  story  this 
month.  How  is  the  lighting  in  your  parking 
areas?  Are  call  boxes  necessary  and  present? 

Employees.  Awareness  programs  gener¬ 
ally  get  mixed  reviews-some  employees 
appreciate  and  embrace  the  tips,  while  others 
roll  their  eyes.  Do  you  need  to  refresh  your 
messaging?  Get  new  posters  or  newsletters,  or 


change  the  wording  of  your  reminder  e-mails? 
Rewrite  your  policies  to  be  easier  to  follow? 
Have  you  trained  your  employees  to  spot 
social  engineering  attempts? 

Mahogany  row.  How  is  your  executive 
protection  program?  Do  your  organization’s 
leaders  have  good  security  habits?  Are  their 
families  or  homes  under  your  purview?  Do 
they  carry  sensitive  documents  or  an  unse¬ 
cured  smart  phone? 

Stand  in  each  physical  location  and  think 
like  a  thief:  How  would  you  attempt  to  breach 
the  defenses  you  observe?  This  kind  of  exer¬ 
cise  can  lead  you  to  find  more  effective,  less 
obtrusive  measures  to  keep  your  organization 
whole. 

-Derek  Slater,  dslater@cxo.com 


Editor  in  Chief  Derek  Slater 
Senior  Editors 
Bill  Brenner,  Joan  Goodchiid 
Copy  Editor 
Colleen  Barry 
Editorial  Administrator 
Pat  Josefek 
Contributors 

Mary  Brandel,  Gregg  Keizer, 
Robert  McMillan,  Ariel  Silverstone, 
Ira  Winkler 

DESIGN 

Executive  Director,  Art  and  Design 
Mary  Lester 

Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager  Carolyn  Johnson 

TECHNICAL  ADVISORY  BOARD 

Jason  Cowling 

Jeremiah  Grossman,  WhiteHat  Security 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 
Richard  Power,  Carnegie  Mellon  CyLab 

EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 

492  Old  Connecticut  Path, 

P.O.  Box  9208, 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 


INTERNATIONAL  DATA  GROUP 

Chairman  of  the  Board 
Patrick  J.  McGovern 

IDG  COMMUNICATIONS,  INC. 

CEO  Bob  Carrigan 
Chief  Content  Officer 
John  Gallant 


#BPA 


WORLDWIDE* 


4  www.csoonline.com  February  2010 


Photo  by  Webb  Chappell 


NOT  PROTECTING  YOUR  DATA 

IS  LIKE  BLAMING 

IT  ON  THE  DOG 


Ht’MOR 


TRUST 


DEFINED 


Many  security  companies  talk  about 
"Trust",  but  not  all  data  protection  is 
created  equal.  Whether  stored  on  a 
device,  in  a  data  center  or  transmitted 
in  the  cloud,  PGP  solutions  for  email, 
endpoint,  file  and  server  protection  scale 
to  more  platforms  so  you  can  protect  data 
wherever  it  lives.  With  PGP  Corporation 
as  your  trusted  partner,  protecting  the 
value  of  your  sensitive  data  has  never 
been  easier. 


For  more  information  contact  PGP 
Corporation  at  + 1  (888)  51 5  4920  or 
visit  us  at  www.pgp.com 


www.pgp.com 


[  FROM  THE  PUBLISHER  ] 


So  What  Is  PCI 
Really  About? 

CSO’s  publisher  says 
card  issuers  must  do 
as  they  say,  not  just 
say  what  to  do 

Over  the  last  several  years,  PCI  has 

become  a  driving  force  in  information 
security.  Much  as  federal  regulations 
like  GLBA  and  Sox  did  in  their'day,  PCI 
has  become  the  hook  that  many  organizations 
hang  their  budget  request  hats  on  in  order  to 
get  funding.  What  a  great  model:  Have  the 
credit  card  industry  use  its  muscle  to  get  the 
merchants  to  institute  good  security  practices. 
In  theory  it  sounds  workable. 

But  I’m  beginning  to  hear  a  few  disturbing 
tidbits  of  information  that  make  me  question 
where  the  credit  card  companies  are  coming 
from.  Think  about  things  from  the  enforce¬ 
ment  side  of  the  equation:  The  credit  card 
issuers  police  the  merchants  for  PCI  violations 
and  then  have  the  option  to  levy  fines  for  those 
violations.  Storing  full  credit  card  data  in  an 
unencrypted  format?  That’s  a  fine.  1  think  most 
of  you  know  the  drill. 

But  what  if  the  credit  card  compa¬ 
nies  are  maneuvering  the  merchants  into 
noncompliance? 

What  I’m  told  is  that  some  of  the  biggest 
violators  of  PCI  are  the  card  issuers  them¬ 
selves.  I  won’t  name  names,  but  I’ve  been 
hearing,  repeatedly,  that  some  card  issuers 
are  sending  full  customer  account  data  to  mer¬ 
chants  in  unencrypted  files.  The  merchants  I 
have  spoken  to  are  hopping  mad  about  this 
because  it  forces  them  into  violations  of  key 
PCI  provisions.  It  also  opens  them  up  to  fines 
from  the  very  organizations  that  are  sending 
them  the  vulnerable  data. 


So  what  does  this  ail  mean?  The  capital¬ 
ist  in  me  says  it  sounds  like  a  great  revenue 
model  for  the  credit  card  companies.  Financial 
quarter  looking  a  little  weak?  Send  out  some 
e-mails  with  unencrypted  card  data  to  mer¬ 
chants  and  then  start  handing  out  fines.  Want 
to  pad  your  CEO’s  bonus  a  little  more?  Send 
out  a  BIG  file  and  follow  it  up  with  a  BIG  fine. 
Who  are  they  going  to  complain  to?  Of  course 
I’m  joking  here.  (Am  I?)  But  if  card  issuers 
aren’t  taking  this  seriously,  how  do  they  expect 
merchants  to  do  so?  I  am  told  that  card  issuers 
claim  these  are  unique  incidents  that  have 
happened  inadvertentiy-anyone  else  see  the 
irony  here?  But  unfortunately  I  am  also  told 
that  rarely  does  a  week  go  by  when  this  does 
not  happen. 


As  the  rules  become  increasingly  strict, 
card  issuers  are  going  to  have  to  move  beyond 
the  “Do  as  I  say,  not  as  I  do”  mentality  and 
begin  to  lead  by  example. 

Have  you  run  into  this?  Drop  me  a  line  and 
let  me  know. 

Best  regards, 

-Bob  Bragdon,  bbragdongcxo.com 


Advertiser  index 


Actividentity  Inc . 15 

AT&T . 11 

Computerworld . 35 

CSO . 12,33 

GovSec . 21 


HIDCorp . ....C4 

IBM  Corp . C2 

ISACA . 7 

PGP  Corp . 5 

PhoneFactor . C3 

NetworkWorld . 25 


SpectorSoft  Corp.  . . . 39 

Trend  Micro  Inc.. . . 16 

Tripwire  Inc . .  9 

Verisign . 3 


6  www.csoonline.com  February  2010 


Photo  by  Christopher  Navin 


President  and  CEO 
Michael  Friedenberg 
Group  Publisher  Bob  Melk 
Pubiisher  Bob  Bragdon 
Senior  Nationai  Sales  Manager 
Per  Melker 

East  Coast  Regional  Sales  Manager 
Roz  Burke 

West  Coast  Regional  Sales  Manager 
Michelle  McHugh 
Sales  Associate 
Sarah  Nadeau 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

SVP,  Online  Sales  &  Ops 
Gregg  Pinsky 
VP,  Online  Sales 
Brian  Glynn 

East  Coast  Online  Regional 
Sales  Manager 
Richard  Hartman 
West  Coast  Online  Regional 
Sales  Manager 
Erika  Karr 

Central  Online  Regional 
Sales  Manager 
Stacy  Bryne 

Director,  Online  Account  Services 
Danielle  Tetreault 

Online  Account  Services  Specialists 

Jennifer  Malkasian,  Elise  Ryan, 

Tara  Shea 

CUSTOM  SOLUTIONS  GROUP 

Vice  President  Charles  Lee 
National  Sales  Directors 

Tom  Grimshaw,  Karen  Wilde 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 

EXECUTIVE  PROGRAMS 

SVP,  Executive  Programs 
Ellen  Daly 

Vice  President,  Event  Marketing 
Michael  Garity 

Sr.  Director,  Event  Operations 
Deb  Begreen 

VP,  Content  Development  &  Events 
Derek  Hulitzky 

MARKETING 

Vice  President,  Marketing 
Sue  Yanovitch 

Sr.  Marketing  &  PR  Specialist 
Lynn  Holmiund 

LIST  SERVICES 

Contact  Steve  Tozeski  of 
IDG  List  Services  at  508  820-8106  or 
stozeski@idglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460  ext.  129, 
cso@theygsgroup.com 


ISACA®  Certifications 

ISACA  certifications  increase  your  vaiue 
to  empioyers  and  ciients. 


Being  a  CiSA®  CiSM® and/or  CGEiT: 

>■  Counts  in  the  hiring  process. 

>■  Enhances  your  credibility  and  recognition. 
>•  Boosts  your  earning  potential. 

Secure  Your  Career:  Get  Certified. 

Visit  www.isaca.org/csomag. 


Register  for  the  12  June  2010  exam 

Final  registration  deadline — 7  April  201 0 

-flSACA 

Trust  in,  and  value  from,  information  systems 


What^s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonline.com 


BLOG  POST 

Cybergeddon: 
Game  of 
Bullets  or 
Dollars? 

Ivan  Arce  wonders  what  is 
the  right  way  to  approach 
cyberwarfare  defense 

ver  the  last  several  years, 
and  especially  over  the  last 
few  months,  I’ve  seen  an 
increase  in  the  media  cov¬ 
erage  of  stories  and  reports 
about  apocalyptic  scenarios  in  which 
cyberincidents  could  be  orchestrated  to 


affect  a  nation’s  critical  infrastructure  as 
a  direct  or  auxiliary  means  of  imposing 
policies,  tilting  the  international  balance  of 
power  among  nation-states,  or  unleashing 
and  amplifying  terror  in  nonstate  actors. 
Simply  put:  scenarios  where  Global  Cyber 
War  becomes  a  tangible  reality  to  an  entire 
country’s  population. 

Where  do  these  ideas  come  from?  What 
do  they  mean  to  the  information  secu¬ 
rity  and  risk  management  profession¬ 
als?  Should  IT  security  and  risk  issues 
be  discussed  in  the  context  and  using  the 
discourse  (rhetoric)  of  war  and  military 
doctrine?  Should  we  address  them  purely 
from  a  legal  perspective?  Would  they  be 
better  understood  through  the  lens  of  eco¬ 
nomic  studies  or  the  dynamics  of  complex 
social  systems? 

The  right  answer  is  likely  to  be  “yes”  to 
a  combination  of  all  of  the  above,  but  when 


I  saw  a  6o  Minutes  segment 
on  the  topic  and  shortly 
thereafter  a  publication 
from  a  security  vendor  trig¬ 
gered  my  curiosity  about 
the  prospects  of  an  impend¬ 
ing  global  cyber  Armaged¬ 
don,  I  was  less  interested  in 
finding  the  right  answers 
than  I  was  in  figuring  out 
what  would  be  the  more 
appropriate  questions  to 
formulate. 

The  idea  of  waging 
offensive  war  using  tech¬ 
nological  means  over  the 
Internet— or,  more  gener¬ 
ally,  using  information 
technology— isn’t  new  at 
all.  In  1990  the  book  The 
Cuckoo’s  Egg:  Tracking  a 
Spy  through  the  Maze  of  Computer  Espionage, 
Clifford  Stoll  provided  an  early  account 
of  real-world  computer  intrusions  linked 
to  intelligence-gathering  activities  during 
the  Cold  War.  Only  a  couple  years  earlier, 
Robert  Tappan  Morris  Jr.— son  of  the  for¬ 
mer  chief  scientist  of  the  National  Security 
Agency’s  National  Computer  Security  Cen¬ 
ter-had  unleashed  the  first  Internet  worm, 
now  known  as  the  RTM  or  Morris  worm, 
which  spread  so  rapidly  that  it  prompted 
the  forceful  disconnection  from  the  Inter¬ 
net  of  the  U.S.  military’s  nonclassified  net¬ 
work  (MILNET). 

In  1992,  the  cyberwarfare  theme  was 
presented  for  mass  public  consumption 
with  the  widespread  dissemination  of  a 
story  about  the  alleged  use  by  the  U.S.  mili¬ 
tary  of  a  targeted  printer  virus  to  disable  the 
Iraqi  air  defense  system  during  the  Persian 
Gulf  War.  The  news  turned  out  to  be  a  hoax, 


8  www.csoonline.conn  February  2010 


Photo  by  iStockphoto.com 


ADVERTORIAL 


EXECUTIVI 


VIEWPOIN 


Dwayne  Melangon 

VICE  PRESIDENT, 

LOG  MANAGEMENT 


Next-Generation\og 
Management: 


Just  Say  “No”  to  Compromise 

Find  out  why  Tripwire’s  Dwayne  Melangon 
says  next-generation  log  management  solu¬ 
tions  can  give  CIOs  the  performance  and  intel¬ 
ligence  they  need  to  operate  more  efficiently. 

What's  the  biggest  log  management 
pain  point  for  CIOs? 

Compromise  is  the  biggest  issue.  CIOs  have 
been  forced  to  choose  between  performance 
and  intelligence.  Traditional  log  and  event 


to  benefit  the  business  as  a  whole. 

Why  should  FIM  be  integrated  into  log 
management? 

It’s  important  for  both  data  integrity  and 
security.  Just  knowing  about  changes  and 
seeing  log  data  isn’t  always  enough.  For  ex¬ 
ample,  a  change  to  a  password  file  preceded 
by  five  failed  login  attempts  indicates  a  pos¬ 
sible  brute  force  attack  and  warrants  investi- 


Dwayne  Melangon  joined 
Tripwire  in  2000  and  leads 
the  company's  log  manage¬ 
ment  business,  in  previous 
positions  at  the  company, 
Dwayne  was  vice  president 
of  Business  Development, 
Professional  Services  &  Sup¬ 
port,  Information  Systems, 
and  Marketing.  Dwayne  is 
certified  in  IT  management 
and  audit  processes,  and 
he  holds  both  ITIL  and  CISA 
certifications. 


FOR  MORE  INFORMATION: 
please  visit  www.Tripwire.com 


CSO 

Custom  Solutions  Group 


“You  get  a  platform  that  can  simultaneously  store,  analyze, 
categorize  and  index  data.” 


management  solutions  typically  compile 
vast  amounts  of  data,  which  puts  the  focus 
on  performance.  But  how  do  you  single  out 
the  important  information  from  a  landfill 
of  log  data? 

Where  does  log  management  fall  short? 

Legacy  solutions  have  no  brain.  They  gather 
and  store  logs,  but  when  you  want  to  do 
something  useful  with  that  data  they  come  up 
short.  That’s  why  organizations  try  to  com¬ 
pensate  by  cobbling  systems  together  to  add 
intelligence  and  analysis  capabilities. 

What's  the  most  common  misconception 
around  log  management? 

It’s  definitional.  When  people  say  “log 
management,”  they’re  really  talking  about 
what  industry  analysts  refer  to  as  security 
information  and  event  management  (SIEM) 
and  file  integrity  monitoring  (FTM).  That’s 
where  the  next-generation  approach  comes 
in,  bundling  in  all  these  aspects  of  informa¬ 
tion  management. 

Why  are  log  management  and  SIEM  so 
crucial  to  the  business? 

Combined,  these  capabilities  give  you 
visibility  into  all  events  of  interest,  the 
intelligence  to  filter  and  find  data  relation¬ 
ships  to  identify  the  most  critical  threats, 
and  the  ability  to  automate  your  decisions. 
An  effective  log  management  plan  provides 
all  three  of  these  capabilities  in  one  solution 


gation.  Traditional  log  management  solutions 
wouldn’t  provide  the  visibility  to  relate  those 
two  events. 

What  are  the  advantages  of  an  integrated 
log  and  event  management  solution? 

If  these  functions  are  designed  to  work  as 
one— rather  than  separate  systems  duct-taped 
together— you  don’t  have  to  compromise. 

You  get  a  platform  that  can  simultaneously 
store,  analyze,  categorize  and  index  data.  And 
you  get  real-time  intelligence  so  you  can  ask 
questions  of  the  data  and  look  for  suspicious 
matches  using  real-time  dashboards  and 
single-click  detail  investigation. 

What  about  questions  of  scale? 

With  legacy  systems,  the  only  way  to  solve 
a  performance  problem  is  to  throw  more 
hardware  at  it.  With  a  software  approach, 
though,  it’s  easy  to  scale.  And  upfront  analysis 
and  indexing  means  you  don’t  have  to  forfeit 
intelligence.  That’s  one-up  on  the  previous 
regime,  allowing  organizations  to  scale  and 
analyze  without  the  added  investment. 

What  impact  can  all  of  this  have  on  TCO? 

Integration  is  key,  providing  simultaneous 
access  to  intelligence,  visibility  and  automa¬ 
tion.  That  means  you  spend  less  time  sifting 
through  non-actionable  information,  so  you 
can  zero  in  on  events  of  interest  and  achieving 
faster  time  to  resolution.  Time  is  money,  so 
the  faster  you  are  the  better  off  you  are.  00 


>>  DISCUSSION 


but  by  then  the  cyberwarfare  meme  had 
already  taken  up  permanent  residence  in 
our  brains,  like  a  pernicious  printer  virus— 
Oops!  As  early  as  1995,  some  U.S.  hackers 
were  already  trying  to  align  their  peers’ 
allegedly  anarchic  and  purposeless  behav¬ 
ior  with  more  patriotic  endeavors,  such  as 
attacking  French  computer  systems. 

Although  I’ve  not  found  a  definitive  date 
at  which  information  security  attack  and 
defense  was  incorporated  as  part  of  U.S. 
military  doctrine  under  the  umbrella  term 
“cyberwarfare,”  in  a  PBS  interview  John 
Arquilla,  professor  at  the  Naval  Postgradu¬ 
ate  School,  dated  the  creation  of  the  concept 
to  the  early  1990s. 

In  fact,  the  event  that  most  likely 
explains  or  indicates  the  incorporation  of 
cyberwarfare  into  military  doctrine  is  the 
1993  publication  by  the  RAND  Corpora¬ 
tion  of  an  article  authored  by  John  Arquilla 
and  David  Ronfeldt  titled  “Cyberwar  Is 
Coming!”  More  recent  coverage  on  the 
topic  is  found  in  another  RAND  publica¬ 
tion:  Martin  Libicki’s  Cyberdeterrence  and 

MORE  ON  THE  WEB 


Cyberwar.  The  original  sign  of  the  adoption 
of  a  cyberwar  doctrine  and  strategy  by  the 
Chinese  military  is  often  traced  back  to  the 
“Unrestricted  Warfare”  document  of  1999, 
authored  by  Qiao  Liang  and  Wang  Xiang- 
sui,  colonels  in  China’s  People’s  Liberation 
Army.  Identifying  the  origins  of  the  military 
doctrine  and  strategies  for  cyberwarfare 
of  other  nation-states  or  finding  evidence 
of  active  development  of  their  capabilities 
seems  much  harder. 

The  first  account  of  computer  security 
incidents  as  cyberwarfare  scenarios  rather 
than  just  breaches  of  U.S.  national  defense- 
sensitive  systems  was  in  a  November  2000 
report  to  Congress  from  the  Congressional 
Research  Service  that  starts  with  this  omi¬ 
nous  sentence:  There  is  a  war  being  waged  in 
cyberspace  today— at  least  that’s  what  many 
in  government  and  the  media  would  have  us 
believe. 

Subsequent  Congressional  Research 
Service  reports  from  2004,  2005,  2007, 
2008  and  2009  demonstrate  the  complex 
and  convoluted  process  through  which 
policy-makers  tried  to 
understand  the  plausibility 
of  cyberwarfare  and  cyber¬ 
terrorism  and  determined 
what  actions  need  to  be 
taken. 

Despite  the  reams 
of  information,  reports 
and  accounts  of  informa¬ 
tion  security  incidents 
as  telltale  signs  of  an 
upcoming  Cybergeddon, 
many— most?  — security 
practitioners  in  both  the 
private  and  public  sectors 
are  primarily  concerned 
about  cybercrime  and 
their  inability  to  effec¬ 
tively  measure  IT  security 
risk  and  determine  what’s 
the  appropriate  amount 
of  investment  in  security 
and  what  is  a  reasonable 
expected  return. 

In  the  absence  of  reliable 
and  statistically  relevant 
data  to  estimate  the  mac¬ 
roeconomic  and  financial 
effect  of  cyber  insecurity 
and  of  the  study  of  possible 
individual  and  business 


Join  the  CSO  Forum 
on  Linkedin 

The  CSO  Forum  is 

the  best  place  to  share 
expertise  with  peers- 
top  leaders  in  digital 
and  physical  security, 
business  continuity,  fraud 
prevention  and  other 
operational  risk  areas. 
Members  get  advance 
access  to  research,  event 
discounts  and  more. 

-Search  groups  for  CSO  Forum 


HOWTO 

REACH 

US 

You  can  contact  us 
directly  or  post  your 
thoughts  on  specific 
articles  and  blogs  at 
www.CSOonlinexom. 

Derek  Slater,  Editor  in  Chief 
ds/a  fer@cxo.com 
508  935-4213 
Twitter:  @derekcslater 

Bill  Brenner,  Senior  Editor 

bbrenner@cxo.com 
508  988-7587 
Twitter:  @billbrenner70 

Joan  Goodchild,  Senior  Editor 
jgooclchild@cxo.com 
508  988-7994 
Twitter:  @msjoanieg 

Subscriber  Services 

Phone:  866  354-1125 
Fax:  847  564-9453 
E-mail:  cso@omeda.com 

Reprints  &  Permissions 

For  information  about  reprints 
and  copyright  permissions, 
please  contact  The  YGS 
Group,  800  290-5460,  ext. 

129,  cso@theygsgroup.com. 


incentives  for  improved  security— and  of 
corresponding  disincentives  for  weakened 
postures— the  debate  around  IT  security  is 
likely  to  remain  dominated  by  war-  and 
crime-oriented  visions,  although  most  cur¬ 
rent  evidence  indicates  that  information 
security  problems  could  be  best  addressed 
by  both  national  and  international  organi¬ 
zations  that  have  a  broader  scope  attend¬ 
ing  to  global  finance,  economic  and  social 
development  issues. 

What  do  you  think?  Is  IT  security 
mostly  a  national  defense  issue?  Would 
it  be  better  addressed  as  a  component  of 
economic  policy,  foreign  affairs  or  crimi¬ 
nal  justice?  Is  it  time  for  a  Cash  for  Cyber- 
clankers  program? 

-Ivan  Arce 


10  www.csoonlme.com  February  2010 


Network  Security. 

It's  what  we're  made  of. 

MANAGED  SECURITY  SERVICES  FROM  AT&T.  When  it  comes  to 
system  security  and  protecting  your  network,  trust  your  business 
data  to  the  architect  and  overseer  of  the  world's  largest  wired  and 
wireless  network.  With  AT&T's  vast  security  expertise,  we  can  assess 
vulnerabilities,  help  protect  your  infrastructure,  detect  attacks  and 
respond  to  suspicious  activities.  Taking  care  of  the  hidden  dangers, 
so  you  can  focus  on  the  work  that's  in  front  of  you.  That's  how 
AT&T  helps  your  business  Stretch. 

att.com/dnasecurity 


at&t 

Your  world.  Delivered. 


•->009-2010  AT&T  Intellectual  Property.  Alt  rights  reserved.  AT&T  and  the  AT&T  logo  are  trademarks  of  AT&T  Intellectual  Property. 


cso 

Perspectives 

April  5-7,  2010 

Hyatt  Regency  Santa  Clara 

Santa  Clara,  California 
www.csoonline.com/csoplO 


This  year's  CSO  Perspectives  brings  you 
the  state-of-the-art  in  security  strategies, 
solutions  and  policy.  We’ve  gathered  a 
roster  of  industry  leaders  that  will  present 
their  state-of-the-art  perspective  on  risk 
management,  application  security,  security 
spending,  cloud  security,  fraud  detection, 
as  well  as  focused  roundtable  discussions 
on  data  loss  prevention,  securing  Web  2.0, 
executive  security,  secure  coding  and 
social  engineering. 

YOU’LL  HEAR  FROM  INDUSTRY  EXPERTS  LIKE: 

•  MICHAEL  THEIS 

Executive  Director  of  Insider  Threat 
Management  for  Raytheon,  and  the  former 
CISO  of  the  National  Reconnaissance  Office 

•  BHAVESH  PATEL 

Senior  Director  of  Global  Risk  Operations 
for  Genzyme 

•  JIM  REAVIS 

Co-founder  Cloud  Security  Alliance 

•  JONATHAN  RICHARDSON 

Partner,  Black  Swan  Group 

TO  REGISTER  VISIT 

www.csoonline.com/csoplO, 
call  800-366-0246  or  email 
executiveprograms@cxo.com 


Produced  by: 


CSO 

BUStNESS  RISK  LEADERSNIR 


“Terrorism  and  crime  had  been  around  a  long  time, 
but  after  9/11,  things  changed  in  building  design.”  page  14 


Edited  by  Bill  Brenner 


Companies  on  infosec 
Spending:  Where’s  the  ROI? 


Companies  have  spent  millions  to  bolster 
their  IT  security  this  past  decade.  But 
some  are  starting  to  wonder  if  it’s  been 
worth  it,  according  to  the  2010  Cyber 
Security  Watch  survey. 

Defending  IT  assets  has  been  a  high-cost 
proposition  for  many  organizations,  but 
they’ve  been  given  been  strong  motivation  by 
malware  attacks,  data  security  breaches  and 
the  resulting  regulatory  compliance  cattle 
prod.  Despite  this  outlay,  the  bad  guys  are  still 
a  few  steps  ahead  in  sophistication  and  speed, 
and  some  companies  wonder  if  their  invest¬ 
ments  were  worth  it,  according  to  the  newly 
released  Cyber  Security  Watch  Survey. 

More  than  500  respondents,  including  busi¬ 
ness  and  government  executives,  professionals 
and  consultants,  participated  in  the  survey, 
conducted  by  CSO  in  conjunction  with  the 
Secret  Service,  the  CERT  program  at  Carnegie 
Mellon  University’s  Software  Engineering 
Institute,  and  Deloitte  and  Touche’s  Center  for 
Security  and  Privacy  Solutions.  Though  respon¬ 
dents  say  they’ve  made  major  efforts  to  keep 
their  companies  secure,  many  admit  it’s  getting 
almost  impossible  to  outpace  the  bad  guys. 

"Security  confidence  seems  to  be  waning. 
Respondents  are  spending  more  money 
and  implementing  new  capa¬ 
bilities,  but  overall  they  seem 
to  be  unsure  about  how  truly 
effective  their  efforts  really  are 
toward  ensuring  security,”  said 
Ted  DeZabala,  principal  at  Delo¬ 
itte  and  Touche  and  U.S.  leader  of 
Deloitte’s  security  and  privacy  services. 

The  survey  showed  a  drop  in  cybercrime 
victims-60  percent  said  that  they  had  been  hit 
in  2009,  compared  to  66  percent  in  2007.  But 


the  affected  organizations  have  experienced 
significantly  more  attacks  than  in  previous 
years,  fueling  doubts  about  whether  security 
upgrades  are  providing  sufficient  ROI. 

Between  August  2008  and  July  2009,  more 
than  one-third  (37  percent)  of  respondents 
experienced  an  increase  in  cybercrimes 
compared  to  the  previous  year.  While  company 
outsiders  are  the  main  culprits  in  such  attacks, 
the  most  costly  or  damaging  strikes  are  more 
often  carried  out  by  insiders-employees  or 
contractors.  One-quarter  of  all  cybercrimes 
were  committed  by  an  unknown  source. 

Although  the  number  of  incidents  rose,  the 
ramifications  have  not  been  as  severe.  Since 
2007,  when  the  last  such  survey  was  con¬ 
ducted,  the  average  monetary  value  of  losses 
resulting  from  cybercrimes  declined  by  10  per¬ 
cent.  This  can  likely  be  attributed  to  increases 
in  both  IT  security  spending  (42  percent)  and 
corporate/physical  security  spending  (86 
percent)  over  the  last  two  years. 

And  yet  as  technology  advances,  so  do  the 
attack  methods,  and  many  respondents  worry 
that  the  bad  guys  are  still  winning.  Outsiders 
attack  with  phishing  schemes  or  malicious 
code  such  as  spyware,  viruses  or  worms, 
while  insiders  most  commonly  expose 

private  or  sensitive  information 
unintentionally,  gain  unauthor¬ 
ized  access  to  or  use  of  infor¬ 
mation  systems  or  networks, 
and  steal  intellectual  property. 

The  survey  found  that  insid¬ 
ers  most  often  commit  electronic 
crimes  against  their  organization  by  copying 
information  to  their  laptops  or  mobile  devices. 
Respondents  suggested  data  is  often  down¬ 
loaded  to  home  computers  or  sent  outside  the 


BY  THE  NUMBERS 

Despite  steady  IT  security 
spending-and  some  security 
improvements  as  a  result- 
companies  worry  that  their  efforts 
to  stay  ahead  of  the  bad  guys  could 
fall  short  in  the  end,  according 
to  the  2010  Cyber  Security 
Watch  Survey.  Here’s  a  snapshot 
of  how  companies  are  doing: 

500 

Number  of  respondents. 

OO’" 

Respondents  who  said 
their  companies  suffered  a 
cyberattack  in  2008-09. 

66*' 

Respondents  who  said 
their  companies  suffered  a 
cyberattack  during  the  same 
period  one  year  before. 

37% 

Respondents  who  experienced 
an  increase  in  cybercrimes 
compared  to  the  previous  year, 
despite  the  overall  drop. 


business  via  e-mail.  This  may  lead  to  damaged 
reputations  and  may  put  organizations  in  vio¬ 
lation  of  state  or  federal  data  protection  laws. 

More  than  half  of  the  respondents  (58  per¬ 
cent)  said  they  believe  they  are  more  prepared 
to  prevent,  detect,  respond  to  or  recover  from 
a  cybercrime  than  they  were  the  previous  year. 
But  only  56  percent  have  a  plan  for  reporting 
and  responding  to  such  an  incident. 

The  research  also  indicated  that  busi¬ 
nesses  are  trying  to  take  steps  to  identify 
insider  threats.  Nearly  one-third  (32  percent) 
of  respondents  now  monitor  the  online  activi¬ 
ties  of  employees  who  may  be  disgruntled 


February  2010  www.csoonline.com  13 


>>  BRIEFING 


or  who  have  turned  in  their 
resignations. 

Dawn  Cappelli,  techni¬ 
cal  manager  for  the  threat 
and  incident  management 
division  of  CERT,  said  insider 
attacks  continue  to  be  seen 
as  a  bigger  problem  than  any¬ 
thing  that  might  come  from 
the  outside.  They  “are  more 
costly  than  outside  attacks, 
and  seven  of  the  top  eight 
practices  that  were  indicated 
as  being  most  effective  at 
prevention,  detection  and 
deterrence  apply  to  employ¬ 
ees,”  she  said. 

Though  many  respon¬ 
dents  may  be  doubting  the 
ROI  of  their  security  upgrades, 
the  efforts  to  deal  with  insider 
threats  at  least  indicates 
that  no  one  is  thinking 
about  decreasing  spending. 
Perhaps  many  feel  they  have 
no  choice  but  to  keep  shelling 
out,  lest  they  fall  even  further 
behind  the  bad  guys. 

“This  looks  like  good 
news-they  have  found  effec¬ 
tive  practices  for  handling  the 
most  costly  threats,”  Cappelli 
said.  “However,  the  technical 
solutions  for  insider  threat 
mitigation  were  ranked 
alarmingly  low:  DIP  ranked 
ninth  least  effective  [out 
of  10],  and  change  control/ 
configuration  manage¬ 
ment  systems  ranked  fifth 
least  effective.  In  addition, 
account  audits  are  only  being 
performed  by  43  percent 
of  respondents,  probably 
because  of  the  technology  gap.” 

With  that  in  mind,  her 

parting  advice  is  not  to  the 
\ 

respondents,  but  to  the  ven¬ 
dor  community:  Come  up  with 
something  better  to  help  cus¬ 
tomers  achieve  the  DIP  and 
change  control/configuration 
management  they  need. 

-Bill  Brenner 


ARCHITECTURE 

Security  and  Building  Design: 
Whaf  s  Changed  in  a  Decade? 

Building  security  design  barely  made  the  radar  screen  of  most 
architects  10  years  ago.  But  as  architect  Barbara  A.  Nadel 
explains,  the  last  decade  put  the  issue  front  and  center. 


As  we  begin  2010,  the  two  hot  topics  among 
building  designers  are  security  and  envi¬ 
ronmental  sustainability.  What  a  difference 
a  decade  makes,  according  to  author  and 
architect  Barbara  A.  Nadel,  who  specializes  in 
building  security,  planning  and  design  as  the  head 
of  her  New  York  firm  Barbara  Nadel  Architect.  She 
remembers  when  security  and  green  design  were 
mainly  afterthoughts,  but  that  has  all  changed 
since  9/11  and  the  rise  of  the  environmental 
movement. 

Nadel,  who  also  served  as  editor-in-chief  of 
Building  Security:  Handbook  for  Architectural 
Planning  and  Design,  spoke  with  CSO  about  how 
building  architecture  evolved  tremendously  in  the 
past  decade,  and  why  security  is  now  a  paramount 
concern  before  ground  is  even  broken. 


CSO:  How  did  you  first  become  interested 
in  security  with  regard  to  building  design  and 
architecture? 

Barbara  Nadel:  I  formed  my  architectural 
firm  in  1992.  Before  that,  I  had  been  working 
mainly  in  healthcare  and  institutional  design. 
During  the  ’90s,  there  was  need  for  healthcare 
planning  in  the  prison  system  and  through  that,  I 
got  into  correctional  facility  planning  and  design. 
I’ve  been  very  active  with  the  American  Institute 
of  Architects  for  many  years.  In  2001, 1  was  the 
national  vice  president  of  the  AIA.  After  9/11, 1 
realized  there  was  no  single  security  resource  for 
the  design  and  construction  industry,  especially 
for  architects,  engineers,  facility  managers,  con¬ 
sultants,  and  building  owners  seeking  guidance  on 
security  design  in  the  post-9/11  world.  Terrorism 
and  crime  had  been  around  fora  longtime,  but 
after  9/11,  things  changed  in  building  design. 


With  that  in  mind,  i  put  together  a  group  of 
national  experts  in  various  fields  and  we  wrote 
Building  Security:  Handbook  for  Architectural  Plan¬ 
ning  and  Design. 

The  book  has  been  read  around  the  world 
and  has  done  very  well.  Had  people  in  the 
security  and  design  industries  been  seeking 
this  kind  of  security  and  design  knowledge 
for  a  while?  Or  was  it  really  the  concerns  of  a 
post-9/ll  world  that  prompted  the  popularity 
of  the  book? 

There  were  several  benchmark  events  before 
9/11,  impacting  U.S.  facilities  at  home  and  abroad. 
Most  of  them  occurred  at  government-owned 
buildings. 

The  1983  bombing  of  the  U.S.  Marine  barracks 
in  Beirut,  Lebanon,  was  the  first  incident  of  a 
truck  bomb  used  to  destroy  a  building.  In  1996, 
the  destruction  of  the  Khobar  Towers  in  Dhahran, 
Saudi  Arabia,  involved  the  truck  bombing  of  a  U.S. 
military  installation.  The  1998  bombings  of  the 
U.S.  embassies  in  Tanzania  and  Kenya  under¬ 
scored  the  need  to  provide  secure  facilities  for 
Foreign  Service  personnel  serving  overseas. 

Within  the  United  States,  the  first  World  Trade 
Center  bombing  occurred  in  1993  in  an  under¬ 
ground  parking  garage.  The  Oklahoma  City  bomb¬ 
ing  of  the  Alfred  P.  Murrah  building  happened  in 
1995.  Both  incidents  involved  vehicle  bombings  of 
iconic  buildings. 

After  these  events,  those  responsible  for  secu¬ 
rity  within  government  facilities  where  people  live 
and  work  became  more  acutely  aware  of  increased 
security  needs.  But  commercial  building  owners 
weren’t  necessarily  as  concerned.  It  wasn’t  quite 
on  their  radar  screen.  The  events  of  9/11  changed 
that,  as  many  private  building  owners  started  to 
realize  their  people,  buildings  and  assets  could  be 
at  risk.  The  threat  of  terrorism  put  a  different  spin 
on  what  could  happen  to  public  and  private  facili¬ 
ties  in  the  United  States  and  worldwide. 

Terrorism  around  the  world,  as  we  have  seen 
in  places  from  London  to  Mumbai,  has  made  many 
governments  sensitive  to  protecting  their  popula¬ 
tions,  infrastructure,  and  communities.  Security  is 
not  an  isolated  issue.  Every  country  in  the  world  is 
concerned  about  terrorism  and  how  to  protect  its 


14  www.csoonline.com  February  2010 


Illustration  by  iStockphoto.com 


EXECUTIVE 

VIEWPOINT 


ADVERTORIAL 


Identity  Fraud  Rising: 

Today's  Tough  Economy  Calls 
for  Tough  Access  Control 


Grant  Evans,  chief  executive  officer  and  chairman  of  the 

BOARD  OF  DIRECTORS,  ACTIVIDENTITY  CORPORATION 

Grant  Evans  is  a  22-year  veteran  of  the  identity  security  market  with 
experience  ranging  from  startups  to  multi-hundred  million  dollar  companies. 


A  turbulent  economy  brings  many  security 
challenges— from  increased  identity  fraud 
and  insider  threats  to  heightened  oversight. 
CEO  Grant  Evans  of  Fremont,  Calif  .-based 
Activldentity,  shares  his  thoughts  on  the 
growing  need  for  strong  authentication  and 
credential  management. 

HOW  has  the  financial  crisis  and 
recession  impacted  identity  fraud? 

All  forms  of  identity  fraud  have  risen 
dramatically.  One  analyst  estimates  online 
identity  theft  in  the  U.S.  has  jumped  from 
37  percent  to  68  percent.  Historically,  U.S. 
financial  institutions  have  mitigated  fraud 
risk  by  relying  on  insurance  policies  and 
offered  consumers  reimbursements  rather 
than  deploy  strong  authentication  tech¬ 
nology.  That  lack  of  access  control  gives 
hackers  and  identity  thieves  the  perfect  en¬ 
vironment  for  their  crimes.  Now,  though, 
many  financial  organizations  are  imple¬ 
menting  strong  authentication  methods  to 
address  fraud  loss,  strengthen  compliance, 
and  to  gain  competitive  advantage. 

What  else  do  CSOs  need  to  think 
about  in  a  chaiienging  economy? 

There  are  two  other  issues  that  point  to 
the  need  for  strong  authentication  and 
credential  management  systems.  First,  in 
conjunction  with  a  credential  manage¬ 
ment  system,  strong  authentication  can 
protect  the  organization  against  danger¬ 
ous  insider  threats— namely  disgruntled 
ex-employees— during  a  time  when  mas¬ 
sive  layoffs  seem  to  occur  daily.  Second, 
with  increasing  oversight,  strong  authenti¬ 


cation  allows  you  to  define,  track,  monitor, 
and  report  on  who  has  access  to  what  and 
when;  thus  reducing  the  time  and  cost  as¬ 
sociated  with  audit  compliance. 

Has  Actividentity's  approach  to  new 
technology  offerings  changed  as  a 
result  of  the  economy? 

Yes  it  has.  Given  today’s  cost  pressures, 
Activldentity  is  pursuing  strategies  that 
enable  organizations  to  more  affordably 
thwart  security  threats  and  identity  fraud. 
We  are  partnering  with  managed  service 
providers  that  will  offer  our  security  solu¬ 
tions  to  enable  strong  authentication  and 
credential  management  services  “in  the 
cloud.”  We  are  also  taking  advantage  of 
mobile  phones  as  authentication  devices— 
instead  of  issuing  badges— to  provide 
greater  user  convenience  and  jump-start 
security  initiatives  with  a  lower  TCO. 

What  role  does  regulation  play  in 
strong  authentication? 

Regulatory  compliance  is  a  major  driver 
in  the  adoption  of  strong  authentication 
across  many  industries.  For  example,  with 
legislation  hke  the  Homeland  Security 
Presidential  Directive  12,  strong  authen¬ 
tication  and  credential  management  sys¬ 
tems  allow  government  agencies  to  issue, 
use  and  manage  Personal  Identity  Veri¬ 
fication  (PrV)  cards  in  compliance  with 
the  FIPS  201  standard.  Similarly,  many 
large  enterprises  take  advantage  of  strong 
authentication  to  document  access  to  sen¬ 
sitive  data  or  applications  for  compliance 
with  the  Sarbanes- Oxley  Act. 


How  are  you  safeguarding  your  own 
company  from  identity  fraud? 

We  deploy  our  own  solutions  to  secure  our 
IT  infrastructure  and  adhere  to  best  prac¬ 
tices  for  identity  and  access  management. 
Our  employees  wear  badges  that  contain 
their  personal  information  and  identity- 
based  access  credentials  m  a  smart  card 
chip.  Those  badges  are  used  to  open  doors, 
log  into  computers,  and  access  the  VPN  en¬ 
vironment  and  business  applications— all 
of  which  helps  us  defend  against  security 
threats  and  identity  fraud. 

What  advice  would  you  give  CSOs 
as  they  contemplate  their  identity 
challenges? 

When  it  comes  to  implementing  strong 
authentication  and  a  credential  man¬ 
agement  system,  CSOs  should  consider 
the  following:  First,  evaluate  and  select 
authentication  methods  that  are  most  ap¬ 
propriate  for  one  or  more  use  cases  across 
different  user  communities.  Second,  be 
sure  to  think  about  future  use  cases  and 
user  communities.  Finally,  migrate  toward 
a  broad-portf  oho  vendor  that  provides  a 
single  authentication  infrastructure  while 
supporting  all  necessary  methods. 


FOR  MORE  INFORMATION: 

Check  out  the  white  paper  "Understanding  Versatile 
Authentication  and  Its  Benefits"  at 
www.csoonline.com/whitepapers/actividentity 

ACTIv(2)eNTITY~ 


cso 

Custom  Solutions  Group 


60%  OF  PRODUCTION  VIRTUAL  MACHINES  ^ 

ARE  LESS  SECURE  THAN  THEIR  PHYSICAL  COUNTERPARTS!  I 


Enterprises  around  the  world  are  relying  on  virtualization  to 
increase  datacenter  efficiency  and,  unknowingly,  leaving 
themselves  more  vulnerable.  That's  because  conventional 
security  isn't  able  to  protect  virtual  machines  or  see  the  traffic 
between  them  -  leaving  data  and  networks  exposed.  Which 
is  why,  according  to  Gartner,  Inc.,  in  2009  sixty  percent  of  virtual 
machines  were  less  secure  than  their  physical  counterparts 
But  with  Trend  Micro™  Enterprise  Security,  powered  by  the 
Trend  Micro™  Smart  Protection  Network™  infrastructure,  you 
can  mitigate  the  risk  and  maximize  the  benefits  of  virtualization. 
It's  a  different  kind  of  security  that  protects  your  physical  and 
virtualized  environments  and  helps  set  the  foundation  for  your 
company  to  move  confidently  into  the  cloud. 


►  Learn  how  to  protect  your  virtualized  datacenter.  Download 
the  Trend  Micro  eBook  at  trendmicro.com/thinkagain 


TREND 

micro" 


Securing  Your  Web  World 


>>  BRIEFING 


(from  previous  page) 

assets.  This  can  typically  include  critical  infra¬ 
structure,  such  as  roads  and  energy  sources, 
and  high-rise  buildings,  especially  if  there  are 
global  companies  as  tenants  or  owners.  Gov¬ 
ernments  and  private  companies  must  protect 
their  people  and  property.  It’s  a  global  issue. 

So,  back  to  the  initial  question:  People 
want  this  kind  of  information  now  because 
many  are  struggling  to  figure  out,  “What  do 
we  do?  We  can  call  upon  law  enforcement, 
gather  intelligence,  and  deploy  operational 
and  military  personnel,  but  how  do  we  protect 
our  buildings?"  The  challenge  is  that  we  don’t 
want  to  build  fortress  cities;  we  don’t  want  to 
build  bunkers.  We  want  beautiful  buildings 
and  vibrant  cities  that  will  attract  tourism  and 
send  the  message  that  it  is  safe  to  visit,  live 
and  work  in  these  urban  centers  and  suburban 
places.  But  we  also  now  must  have  a  level  of 
protection  that  signals,  “We  aren’t  going  to 
make  it  easy  for  terrorism  and  crime  to  disrupt 
our  way  of  life.” 

You're  in  the  beginning  stages  of 
deveioping  a  second  edition  of  the  book. 
What's  changed  with  security  and  the 


design  industry  since  the  book  was  first 
pubiished  in  2004? 

I  have  heard  from  a  number  of  the  book’s 
contributors  that  many  security  approaches 
have  been  refined  and  improved  in  vari¬ 
ous  areas.  The  second  edition  of  the  book 
will  include  some  new  topics  as  well.  From 
engineering,  technology  and  code  perspec¬ 
tives,  there  have  been  more  innovations  and 
ongoing  research.  Design-wise,  many  high- 
performance  and  sustainable  materials,  such 
as  blast-resistant  glazing  and  curtain  walls, 
have  come  on  the  market.  There  have  been 
many  lessons  learned  after  9/11.  In  New  York 
City,  the  building  code  was  amended  because 
of  the  events  at  the  World  Trade  Center.  Before 
9/11,  getting  people  out  of  a  burning  high-rise 
building  was  a  major  concern  reflected  in  the 
codes.  After  9/11,  avoiding  what  is  known  as 
progressive  collapse-whether  caused  by  a 
bomb,  fire  or  other  destructive  force-became 
a  critical  structural  engineering  issue.  Thus 
rapid  and  safe  evacuation  of  high-rise  building 
occupants  to  the  outdoors  during  an  emer¬ 
gency  is  now  a  concern  for  owners  and  tenants. 
In  new  high-rises,  stairwells  need  to  be 


designed  wider  than  used  to  be  required,  and 
some  new  buildings  need  photoluminescent 
exit  signs  and  markers  in  stairways  so  people 
can  see  in  the  event  of  a  power  outage. 

Building  security  planning  and  design 
often  means  considering  worst-case  sce¬ 
narios  and  how  the  design  can  anticipate  and 
respond  to  specific  threats.  For  example,  if 
the  power  is  out,  or  a  water  supply  on  one 
side  of  the  building  is  not  available,  providing 
redundancy  on  another  side  of  the  building 
can  ideally  allow  continuity  of  service.  These 
approaches  relate  notjust  to  terrorism  but  to 
natural  disasters  as  well,  such  as  hurricanes, 
tornadoes  and  earthquakes.  A  comprehensive 
security  plan  addresses  design,  technology, 
and  operations.  While  each  element  can  stand 
alone,  building  owners  derive  greater  benefits, 
both  financially  and  in  the  long  run,  by  consid¬ 
ering  all  three  together,  at  the  earliest  stages 
of  any  design  and  construction  project.  Bal¬ 
ancing  these  concerns  during  conceptual  plan¬ 
ning  provides  opportunities  to  review  capital 
and  operational  long-term  costs  and  potential 
savings  through  life-cycle  cost  analysis. 

-Joan  Goodchild 


AWARENESS 


TSA  Document  Release  Shows 
Pitfalls  of  Electronic  Redaction 

The  inadvertent  exposure  of  a  sensitive  Transportation 
Security  Administration  security  manual  last  month 
serves  as  a  sobering  reminder  about  the  hazards 
of  trying  to  redact,  or  hide,  electronic  text. 

The  lapse  occurred  when  a  contract 
employee  posted  the  improperly  redacted 
security  manual-which  described  TSA 
airport  screening  methods  that  are 
designed  to  thwart  terrorists-on  a  public 
website  for  federal  procurements. 

Other  organizations,  such  as  HSBC  Bank  and 
Facebook,  have  also  had  embarrassing  incidents 
in  which  what  they  thought  was  unreadable  text  in  elec¬ 
tronic  documents  was  made  public. 

Such  lapses  often  result  from  a  simple  misunderstand¬ 
ing  of  how  electronic  redaction  works,  said  Barry  Murphy,  an  ana¬ 
lyst  at  Murphy  Insights,  a  Boston-based  consultancy  specializing  in 
e-discovery  and  records  management. 

"Obscuring  portions  of  text  in  a  word  processor  by  placing  black 
boxes  over  it,  for  instance,  does  nothing  to  redact  it,”  Murphy  said. 


The  text  may  not  be  viewable,  but  it  still  can  be  indexed,  making 
it  very  searchable  and  easily  retrieved  by  copying  and  pasting  the 
blacked-out  portion  to  another  document,  he  said. 

Another  common  mistake  is  to  overlook  the  meta-data  and 
revision  histories  that  are  often  automatically  embedded  in 
Microsoft  Word  documents  and  PDF  files,  Murphy  noted. 
Blacking  out  or  deleting  the  text  doesn’t  get  rid  of  this 
meta-data.  The  only  way  to  ensure  that  sensitive 
information  isn’t  simply  visually  hidden  is  to  remove 
it  using  redaction  tools,  he  explained. 

I  In  a  2005  document  Merck  sent  to  a 

publisher,  the  drug  giant  deleted  information 
linking  its  drug  Vioxx  to  an  increased  risk  of  heart 
disease.  But  because  the  deleted  information  was 
included  in  the  document’s  meta-data,  it  was  available  to 
be  recovered  later. 

The  major,  major  thing  is:  Do  not  use  your  word  processing 
programs  for  redaction,”  said  John  Pescatore,  a  Gartner  analyst. 
There  are  “very  strong,  usable  software  tools  that  can  be  used  for 
electronic  redaction,”  he  added. 

Examples  of  automated  redaction  tools  include  Redact-IT  from 
Informative  Graphics,  Rapid  Redact  from  Onstream  Systems  and 
ID  Shield  from  Extract  Systems.  -Jaikumar  Vijayan 


ts  www.csoonline.com  February  2010 


Illustration  by  iStockphoto.com 


Security 

Wisdom 

Watch 


Pointing  Thumbs 
at  Washington 

t 

Thumbs  Both  Ways: 

Howard  Schmidt. 

President  Obama’s 
choice  for  White  House 
cybersecurity 
coordinator,  he  has  been 
criticized  in  the  past  by 
security  analysts  who  feel  he  was  too 
slow  in  previous  roles  to  grasp  the 
importance  of  threats  such  as  phish¬ 
ing.  But  he  may  well  have  learned 
from  those  mistakes.  He  also  has  vast 
experience  in  the  public  and  private 
sectors  and  may  prove  to  be  the  right 
man  at  the  right  time.  We  certainly 
hope  so. 

Thumbs  Both  Ways: 

President  Obama.  He 
took  far  too  long  to  pick 
his  cybersecurity  coor¬ 
dinator  and  it  remains  to 
be  seen  if  he’ll  pay  Schmidt 
adequate  attention.  But  we  believe 
he  chose  well  in  the  end.  Better  late 
than  never. 

Thumbs  Up:  Presidents  Bush 
and  Clinton.  By  answering 
Obama’s  call  to  help  with  relief 
efforts  after  the  earthquake  in 
Haiti,  George  W.  Bush  has  a  chance 
to  rehabilitate  his  public  image  after 
the  missteps  of  the  Hurricane  Katrina 
response.  And  if  he  works  as  well  with 
Clinton  as  his  father  has,  countless 
lives  could  be  saved. 

Thumbs  Up:  The  Other  Clin¬ 
ton.  Another  sign  the  govern¬ 
ment  is  starting  to  understand 
cybersecurity:  Secretary  of 
State  Hillary  Clinton  entered  the 
Google-Chinafray,  demanding 
more  answers  from  the  Chinese 
government.  -B.B. 


Chrome  OS  May  Be 
Hacker  Hot  Spot  in  2010 


Google’s  operating  system  will  be  Spoked’  by 
cybercriminals  this  year,  in  large  part  because  it  will  be 
the  new  kid  on  the  block,  a  security  researcher  predicts 

Google’s  Chrome  OS  will  be  targeted  by  attackers  this  year,  probably  even  before  it’s 
officially  released,  says  Sam  Maslello,  director  of  threat  management  at  antivirus 
vendor  McAfee. 

“It’ll  be  the  new  kid  on  the  block,  that’s  one  of  the  primary  drivers  why  we  think 
cybercriminals  will  target  Chrome  OS,"  says  Masiello.  “The  same  thing  happened  to  Windows 
Vista  and  Windows  7  even  before  they  were  finished.  Since  Chrome  OS  is  new,  it’s  going  to 
be  of  interest  to  security  researchers,  and  it’s  going  to  be  poked  by  cybercriminals  as  well." 
Google  announced  the  open-source  operating  system  last  July  and  released  its  code  in 
November,  but  the  software  isn’t  slated  to  be  available  on  netbooks  until  late  in  2010. 

Another  reason  hackers  will  likely  target  Chrome  OS  is  that  it  relies  on  HTML  5,  the  still- 
unfinished  revision  of  HTML  that’s  designed  to  replace  the  current  crop  of  rich  media  plug-ins, 
such  as  Adobe  Flash  and  Microsoft’s  Silverlight,  with  advanced  features  developers  can  build 
right  into  sites. 

HTML  5  also  supports  offline  Web  applications,  allowing  users  to  access  traditionally 
online  services  and  software  even  when  they’re  not  connected  to  the  Internet. 

“As  we  move  toward  the  advent  of  rich  Internet  applications,  the  lines  are  blurring 
between  online  and  offline,"  said  Masiello.  “Cybercriminals  will  be  able  to  attack  users  when 
they’re  offline,  as  well  as  on." 

Other  Google  software  will  make  a  name  for  itself-and  not  in  a  good  way-during  the 
coming  year,  said  Masiello.  Google  Wave,  the  search  giant’s  collaboration  and  communica¬ 
tion  offering,  may  be  the  perfect  tool  for  controlling  a  botnet,  a  collection  of  compromised 
computers. 

“Google  Wave  uses  XMPP  [Extensible  Messaging  and  Presence  Protocol],  which  provides 
application-to-application  control  for  Web  apps,"  Masiello  said.  “It  could  be  used  for  truly 
decentralized  command-and-control  of  a  botnet,  so  a  takedown  of  a  single  ISP  or  hosting 
company  would  have  zero  impact." 

But  although  McAfee  sounded  the  alarm  about  Chrome  OS,  HTML  5  and  Google  Wave, 
Masiello  acknowledged  that  2010  will  probably  be  limited  to  proof-of-concept  exploits  or 
other  low-level  activities  because  Chrome  won’t  appear  until  later  in  the  year  and  HTML  5  is 
still  unfinished.  “With  HTML5  and  Google,  we  still  have  some  time,"  he  said.  -  Gregg  Keizer 


February  2010  www.csoonline.com  19 


>>  BRIEFING 


CAREER 

7  Ways  to  Stay  Happy  in 
a  Miserable  Profession 


data  breach.  Rothman’s  advice  is  to  lay  out  a  clear  definition  of 
success  that  accounts  for  these  pesky  realities  and  just  do  the 
best  you  can.  Remember  that  the  CEO  may  define  career  suc¬ 
cess,  but  YOU  define  personal  success.  If  the  resources,  funding 
and  upper-management  commitment  are  enough  to  give  you  a 
shot  at  achieving  personal  success,  go  for  it. 

2.  Focus  only  on  what  you  CAN  control. 

No  matter  how  hard  you  try,  there  will  always  be  things  you 
can’t  control:  senior  management,  budgets,  user  stupidity,  IT 
operational  challenges,  dimwit  DBAs  (as  Rothman  calls  them), 
office  politics,  business  partners,  auditors  and  regulations.  The 
good  news  is  that  there  are  things  you  CAN  control:  policies, 
security  awareness,  monitoring  that  enables  a  quicker  response 
to  sinister  activity  (see  key  three,  below),  incident  response, 
communication  and  how  you  respond  to  those  dimwits. 

3.  Look  for  NOT  normal,  as  noted  earlier,  the 
bad  guys  are  always  a  few  steps  ahead,  and  soft  targets  are 
all  around  us.  For  example,  with  botnets  everywhere,  DDoS 
attacks  are  getting  cheaper.  And  no  matter  how  much  security- 
awareness  training  employees  have,  there  will  always  be 
someone  who  falls  for  phishing  schemes.  Rothman  therefore 

recommends  that  IT  shops  make  the  most  of  monitoring 

tools.  The  more  you  look  for  unusual  activity,  the  bet¬ 
ter  the  chances  of  stopping  a  data  thief. 

4.  Communicate  the  good  and 
the  bad.  since  there  are  things  beyond  your 
control,  it  doesn’t  hurt  to  lower  or,  as  Rothman 
puts  it,  “manage”  expectations.  To  that  end,  he 
recommends  using  what  he  calls  the  Rule  of  Three: 
1.  Tell  people  what  you  are  going  to  do;  2.  Do 
it;  and  3.  Tell  them  what  you  did.  “Poke 
yourself  in  the  eye,  then  give  your¬ 
self  a  hand,”  Rothman  says. 

5.  Roll  with  the 
punches.  This  tip  is  especially  hard 
to  heed  if  you  are  addicted  to  trying  to 
control  things  beyond  your  grasp.  Remem¬ 
ber  that  whatever  the  atmosphere,  it’s  not 
about  you  and,  well,  someone  always  has  to 
pay.  Try  not  to  take  it  personally. 

6.  Cover  thy  behind.  Rothman  s 
advice  is  simple:  Protect  your  flanks  by  documenting 
everything  and  being  nice-until  it’s  time  to  not  be  nice. 

7.  Know  thyself,  simply  put,  Rothman  says,  work  is 
what  you  do,  not  who  you  are.  Asked  who  he  is,  Rothman  offers 
this  list,  in  order:  husband,  father,  friend,  pain  in  the  behind, 
security  guy,  analyst  and  bad  marketer.  If  you  realize  after 
soul-searching  that  you’re  not  doing  what  you  love,  it’s  time  to 
take  a  leap  of  faith,  he  says,  adding,  “Change  is  good.” 

-B.B. 


Even  on  a  good  day,  the  cybersecurity  profession  can  be 
rough.  There’s  no  shortage  of  IT  security  practitioners 
who’ve  developed  prickly  dispositions  during  endless 
battles  with  upper  management  over  policies  and  fund- 
ing-not  to  mention  employees  whose  computing  habits  put  the 
company  in  danger  every  day.  (For  one  example,  read  “The  Top 
5  Stupid  Things  People  Do  With  Mobile  Phones”  at  csoonline 
.com/article/464722.) 

But  there’s  no  need  to  feel  like  a  slave  to  the  grind.  Just 
ask  Mike  Rothman,  Security  Incite’s  president  and  principal 
analyst.  Rothman  has  been  around  the  block,  working  for  such 
companies  as  TruSecure,  CipherTrust  and  now  elQnetworks. 

He  has  butted  heads  with  upper  management  and  been  fired 
more  than  once.  Along  the  way,  he  learned  to  be  happy  in  his 
profession  despite  its  challenges. 

Lately  he’s  been  visitng  security  organizations  to  give  a  pre¬ 
sentation  he  calls  “The  Pursuit  of  Security  Happyness.”  (As  in 
the  2006  movie  title,  the  last  word  is  deliberately  misspelled.)  In 
an  interview,  he  outlined  his  seven  keys  to  finding  “happyness.” 

1.  Accept  that  you  can’t  win.  Let  s  face  it:  no 
matter  how  many  hours  you  spend  in  your  IT  shop  and  no  mat¬ 
ter  how  big  your  security  budget  and  level  of  upper-manage¬ 
ment  buy-in,  the  bad  guys  are  always  going  to  be  three 
steps  ahead  of  you.  It’s  also  inevitable  that  credit 
won’t  be  given  when  there’s  no  attack,  and  blame 
will  certainly  be  forthcoming  in  the  event  of  a 


20 


www.csoonline.com  February  2010 


Illustration  by  Belle  Mellor 


PRODUCED  BY 


wti  nOSGOVERNMENT 

f  j|^  Information  Group 


UNCOVER  THE  CRITICAL  INFORMATION 
YOU  NEEDTO  COMPLETEYOUR  MISSION 


PLEASE  USE  PRIORITY  CODE 
NQ1S10  WHEN  REGISTERING  I 


FOR  FULL  EVENT  DETAILS  ANDTO  REGISTER: 


REGISTER  TODAY! 


GOV^ 


THE  GOVERNMENT  SECURITY  EXPO  &  CONFERENCE 


«1AW 


MARCH  23-24,  201  o  t> 

WASHINGTON  D.C. 

WALTER  E.  WASHINGTON 
CONVENTION  CENTER 


WHERE 

THE  MISSION  IS  TO 
SECURE  OUR  NATIO 

GovSec/U.S.  Law  is  the  only  event  for  government  that  offers 
a  comprehensive  perspective  on  homeland  security  and  has 
the  convergence  of  IT  and  physical  security  at  its  core.  Engage 
yourself  in  the  full  GovSec/U.S.  Law  experience,  including: 

A  2-day,  4-track,  20-session  program  focusing  on 
•Critical  Infrastructure  and  Protection 

•  Cybersecurity  and  Information  Assurance 

•  Domestic  and  InternationalTerrorism: 

Deterrence,  Preparation  and  Response 

•  Law  Enforcement  Case  Studies  andTactics 

An  expo  floor  featuring  cutting-edge  security  products 
demonstrated  by  top  industry  innovators.  Experience,  first-hand, 
the  newest  systems,  tools  and  technologies  preventing  future 
incidents,  preparing  for  and  responding  to  all  hazards  and 
disasters,  and  ensuring  the  public  safety. 

OPENING  KEYNOTE 
"Cross  Platforming:  New  Interactive 
Strategies  and  Creative  Solutions" 

Anthony  E.  Zuiker 

Creator  &  Executive  Producer  of 
CSI:  Crime  Scene  Investigation 


Don't  miss  this  year's  only  expo  and  conference  with 
a  comprehensive  approach  to  securing  our  country. 
GovSec/U.S.  Law— a  must  attend  for  2010! 


OFFICIAL  PUBLICATIONS 

DtFBMSmBIIS  flMCllllilutllM 


EVENT 

HIG'HLIGHTS 

Powerful  keynote 
lineup  jump  starting 
each  day 

High-level,  in-depth 
conference  program 

2nd  Annual  Domestic 
Defense  Symposium: 
U.S.  Military  Forces, 
First  Responders  & 
Defense  of  the  Nation 

Featured  areas  on  the 
show  floor: 

•  Cybersecurity 
Pavilion 

•  Focus  on  Digital 
Forensics 

•  U.S.  Law 

And  so  much  more! 
BONUS! 

In  the  same  building, 
access  to  FOSE 
featuring  the  Defense 
innovations  Pavilion! 


GCN 


network  *  centric 
_ Secujr  it  y 


By  Mary  Brandel 


Your  2010  Antispam  Playbook 

Appliance  or  hosted  service?  That’s  just  the  first  of  many  choices  in  your 
battle  to  stop  e-mail  spam.  CSOs  and  analysts  provide  decision  support. 


T  THE  MOST  BASIC 
level,  enterprise  antispam 
systems  protect  organiza¬ 
tions  against  e-mail-related 
threats  by  identifying  and 
removing  junk  mail  and  malicious  mes¬ 
sages.  Some  of  the  major  threats,  according 
to  Radicati  Group,  include  viruses,  direc¬ 
tory  harvest  attacks  and  denial  of  service 
attacks. 

These  systems  have  also  broadened  their 
approach  to  keep  up  with  increased  com¬ 
pliance  needs  and  the  evolution  of  e-mail 
threats  toward  phishing  and  malware- 
distribution  URLs,  according  to  Chenxi 
Wang,  an  analyst  at  Forrester  Research. 
For  instance,  many  systems  now  support 
antivirus,  content  filtering  for  inbound  and 
outbound  e-mail  as  well  as  Web  and  instant 
messaging  traffic,  encryption,  archiving 
and  e-discovery,  or  they  integrate  with  sys¬ 
tems  that  offer  these  functions,  she  says. 
Forrester  calls  this  type  of  system  “e-mail 
filtering”;  Radicati,  “e-mail  security”;  and 
Gartner,  “e-mail  gateway.” 

Systems  come  in  three  forms:  soft¬ 
ware,  appliance  and  hosted  service.  While 
software  is  currently  the  largest  segment, 
according  to  Radicati,  appliances  make  up 
the  fastest-growing  category,  with  a  50  per¬ 
cent  annual  growth  rate  over  the  next  four 
years.  The  second  fastest-growing  category 
is  hosted  solutions,  Radicati  says. 

Buyers  increasingly  want  a  turnkey 


solution  for  e-mail  filtering,  Wang  says, 
which  explains  the  popularity  of  appli¬ 
ances  and,  increasingly,  hosted  services, 
as  they  both  decrease  costs  and  simplify 
management.  Leading  appliance  vendors, 
according  to  Forrester,  are  Cisco  Systems, 
Symantec  and  McAfee/Secure  Computing. 
Leading  service  vendors  are  Google/Pos- 
tini,  Microsoft,  Symantec/Message  Labs 
and  Websense.  Gartner  expects  to  see  more 
hybrid  solutions  emerging,  which  include 


an  on-premises  appliance  and  a  hosted 
service  with  a  single  management  interface 
and  the  ability  to  seamlessly  migrate  func¬ 
tions  from  one  to  the  other. 

Market  Overview 

According  to  Radicati,  revenue  for  all  three 
segments  of  antispam  is  forecast  to  grow 
from  slightly  over  $3.9  billion  in  2008  to 
over  $6.2  billion  in  2012. 

Organizations  are  spurred  to  protect 


22  www.csoonline.com  February  2010 


Illustration  by  Adam  Nickel 


themselves  against  e-mail  threats  because 
of  the  costs  associated  with  managing  spam, 
loss  of  user  productivity,  network  down¬ 
time,  bandwidth  costs,  compliance  and 
privacy  concerns.  Since  many  companies 
already  have  antispam  systems  installed,  a 
significant  portion  of  this  market’s  growth 
can  be  attributed  to  upgrade  and  replace¬ 
ment,  Radicati  says. 

Core  Functionality 

When  Forrester  evaluated  e-mail  filtering 
vendors  in  a  recent  study,  it  included  ven¬ 
dors  that  offered  the  following  capabilities: 

■  Antispam,  antivirus  and  content  filter¬ 
ing  for  both  inbound  and  outbound 
e-mail  traffic. 

■  Support  for  common  compliance  poli¬ 
cies,  such  as  HIPAA,  PCI  DSS,  Sox  and 
the  Gramm- Leach-Bliley  Act. 

■  Filtering  capabilities  beyond  e-mail, 
either  in  Web  or  instant  messaging. 

Nine  Tips 

DO  go  beyond  antispam  functionality.  With 
spam  accounting  for  8o  percent  to  90  per¬ 
cent  of  all  e-mail  today,  it’s  become  essential 
to  have  an  antispam  system,  Gartner  ana¬ 
lyst  Peter  Firstbrook  says,  and  aU  current 
systems  can  be  counted  on  to  block  almost 
100  percent  of  spam.  But  if  you’re  buying 
an  antispam  system  today,  make  sure  it 
goes  beyond  that  to  include  more  holistic 
functionality  for  e-mail  protection,  such  as 
data  loss  prevention  (DLP)  and  encryption. 
“Even  if  you’re  not  going  to  use  it  right  now, 
you  will  in  the  next  three  or  four  years,”  he 
says.  “You  want  to  buy  a  platform  that 
allows  you  to  expand  to  that  without  rein¬ 
vesting  in  another  down  the  road.” 

Such  advanced  features  are  what  really 
differentiate  solutions  today,  Firstbrook 
says.  DLP  programs  can  search  the  bodies  or 
headers  of  e-mails  for  any  information  that 
requires  special  protection— Social  Secu¬ 
rity  numbers,  credit  card  numbers,  patient 
healthcare  data  and  so  on— and  then  apply 
corporate  policy  to  determine  what  action  to 
take,  including  blocking  or  encrypting.  Now 
that  some  states  are  passing  laws  requiring 
that  personally  identifiable  information  be 
encrypted,  “you  pretty  much  need  DLP  to 
comply,”  Firstbrook  says. 

Jeff  Strang,  director  of  IT  at  Dakota 
Growers  Pasta  Company,  the  third-larg- 
est  pasta  manufacturing  company  in  the 


United  States,  says  he  is  looking  into  the 
encryption  capability  of  Proofpoint’s  ser¬ 
vice-based  antispam  system.  The  company 
began  using  the  service  less  than  a  year 
ago,  he  says.  “It  provides  a  smari  analysis 
of  what  is  in  the  attachments  and  whether 
they  should  be  encrypted,”  he  says. 

Bob  Clarke,  network  administrator  at 
United  Bank  and  Trust,  is  similarly  look¬ 
ing  into  the  Web  filtering  module  of  Google/ 
Postini’s  offering.  “Even  if  you  allow  a  site 
to  be  browsed,  you  can  block  malicious 
content  from  coming  through,”  he  says. 
“We  haven’t  gotten  the  OK,  but  it’s  some¬ 
thing  we’ve  talked  about.” 

At  Franklin  Synergy  Bank  in  Franklin, 
Tenn.,  CIO  Kevin  Herrington  is  using  five 
appliances  from  Barracuda,  including  its 
e-mail  archiver,  backup,  Web  filter,  link 
balancer  and  antispam. 

DO  consider  the  cloud.  Forrester  pre¬ 
dicts  an  increasing  industry  uptake  on 
hosted,  or  cloud-based,  e-mail  filtering 
in  the  future,  particularly  as  buyers  want 
a  turnkey  solution  that  doesn’t  require 
spending  a  lot  of  time  managing  the  tech¬ 
nology.  The  research  firm  also  says  that  the 
hosted  approach  provides  a  lower  total  cost 
of  operations,  rapid  user  provisioning  and 
less  hassle  for  internal  IT  operations. 

Firstbrook  agrees  that  many  companies 
prefer  the  hosted  approach.  “From  a  price 
perspective,  it’s  coming  down  to  the  point 
where  it’s  $12  per  user  per  year,  and  for 
larger  companies,  it’s  $6  per  user  per  year.” 

Strang  chose  a  hosted  approach  because 
he  wanted  a  solution  that  resided  outside  of 
Dakota  Growers’  own  network.  “We’ve  had 
issues  in  the  past  with  e-mail  security  soft¬ 
ware  impacting  our  hardware  assets,”  he 
explains.  He  likes  the  fact  that  Proofpoint 
offered  both  hosted  and  appliance-based 
systems.  “We  had  never  done  anything 
hosted  for  any  of  our  services,  so  it  was 
important  to  have  that  flexibility,”  he  says. 
“If  it  didn’t  go  well,  we  could  use  the  same 
solution  by  pulling  the  appliance  on-site.” 

As  it  turns  out,  Strang  says,  “given  the 
positive  results  we’ve  achieved,  we’re  actu¬ 
ally  moving  to  hosted  solutions  in  other 
areas  of  our  business.”  For  instance,  help 
desk  calls  related  to  spam  have  decreased 
dramatically,  and  the  company  went  six 
months  without  needing  to  call  Proofpoint 
to  resolve  a  support  issue. 

At  United  Bank  &  Trust,  Clarke  chose 


As  many  as 
14  of  15  incoming 
e-mails  are  spam  at 
some  organizations. 

Google/Postini’s  hosted  system  because  it 
was  easier  to  manage.  “We  just  set  up  the 
users,  show  them  how  to  use  it,  and  the 
spam  never  hits  our  network  at  all,”  he 
says.  With  45  people  to  support  and  two  IT 
employees,  “it’s  one  less  thing  to  manage  in- 
house,”  he  says. 

DO  count  on  tweaking  if  you  buy  an 
appliance.  At  Franklin  Synergy  Bank, 
Herrington  chose  a  Barracuda  appliance 
because  he  had  used  it  when  he  was  IT 
manager  at  another  bank.  Before  leaving 
his  previous  employer,  he  copied  down 
the  configurations  he’d  worked  hard  to 
perfect  so  he  could  apply  them  at  Frank¬ 
lin.  “I’d  spent  a  lot  of  time  tweaking  the 
configurations  to  stop  legitimate  spam  and 
let  the  real  e-mail  come  through,”  he  says. 
The  configurations  include  spam  scoring 
limits  that  determine  what  gets  flagged  or 
blocked,  as  well  as  whitelisting  capabilities 
for  domains  considered  safe.  “I  had  played 
with  those  numbers  quite  a  bit  and  finally 
found  some  that  worked  well,”  he  says. 

DO  evaluate  performance.  Something 
that  can  make  or  break  a  product  is  its  per¬ 
formance  and  throughput  while  processing 
large  volumes  of  e-mail,  Wang  says.  At  some 
organizations,  as  many  as  14  of  15  incoming 
e-mails  are  spam,  she  says,  so  “the  perfor¬ 
mance  of  the  filtering  solution  determines 
whether  the  company’s  employees  will  have 
timely  e-mail  access  or  whether  everyone’s 
e-mails  will  be  delayed  and  even  dropped 
by  the  filtering  process.” 

DO  look  into  how  the  vendor  stays 
updated  on  new  techniques.  Dan  Blum,  an 
analyst  at  Burton  Group,  compares  fighting 
spam  with  an  arms  race,  requiring  multiple 
levels  of  ever-growing  protection.  The  main 
weapons  include  reputation-based  filtering 
of  both  the  sender  and  the  sending  domain; 
domain  key  authentication;  active  inspec¬ 
tion  of  content,  including  images;  and  heu¬ 
ristics-based  message  analysis. 

Spam  techniques  are  constantly  chang¬ 
ing,  so  it’s  important  that  the  vendor  can 
rapidly  detect  and  react  to  new  spam  cam¬ 
paigns  that  may  evade  filters,  Firstbrook 


February  2010  www.csoonline.com  23 


>>  TOOLBOX 


says.  Clarke  says  Google/Postini  updates 
its  spam  filters  every  day,  and  effectively 
captures  95-plus  percent  of  spam.  There  are 
occasions  where  it  doesn’t  catch  some  new 
technique,  “and  we  get  a  call  from  a  user 
saying,  ‘Why  did  we  get  this?’”  he  says. 

DO  consider  compliance  needs.  Compli¬ 
ance  requirements  are  continuing  to  drive 
and  shape  the  antispam  market,  Wang  says, 
and  systems  are  now  incorporating  sophis¬ 
ticated  content-filtering  technologies  to 
protect  unauthorized  leaks  of  private  and 
confidential  data,  as  well  as  integration  with 
archiving  and  e-discovery  technologies. 

Clarke  says  he  looked  at  Google/Pos- 
tini’s  e-mail  archiving  system’s  ability  to 
comply  with  regulations.  However,  he 
ended  up  choosing  something  he  says  was 
a  little  easier  to  use  and  priced  more  effec¬ 
tively  for  his  purposes,  as  it  was  based  on 
the  number  of  users,  not  the  amount  of  data 
being  archived.  “Our  user  base  isn’t  going 
to  fluctuate  much,  but  the  data  size  will,”  he 
says.  It’s  not  inconvenient  to  have  separate 
systems,  he  says. 

DO  determine  how  much  power  to  give 
the  end  user.  Some  systems  enable  end 
users  to  review  a  list  of  quarantined  e-mails, 
or  a  “gray  list”  of  e-mails  that  were  flagged 
as  spam,  and  it’s  up  to  the  individual  admin¬ 
istrator  to  determine  how  much  power  to 
give  users  to  review  this  list.  “Some  don’t 
want  the  user  to  go  into  the  gray  list  because 
of  usability  issues,  or  the  possibility  the 
user  might  make  a  bad  decision,”  Blum 
says.  “They  might  open  a  message  that’s 
a  phishing  message  and  act  on  it.”  Others 
would  like  to  have  the  quarantine  available 
so  they  don’t  risk  losing  an  authentic  e-mail 
as  a  false  positive. 

At  United  Trust,  Clarke  says  most  users 
didn’t  like  receiving  daily  notification  that 
e-mails  had  been  quarantined.  He  set  up 
the  service  so  that  users  were  free  to  check 
the  quarantine  digest.  They  have  the  choice 
to  approve  e-mails  and  tell  the  service  to 
never  block  from  that  sender  again,  or  they 
can  add  addresses  or  domains  to  a  list  that 
should  always  be  marked  as  spam.  “We 
noticed  that  if  you  manage  it  for  a  month, 
checking  two  or  three  times  a  week,  the 
chance  of  falsely  quarantined  e-mail  is 
rare,”  he  says.  He  checks  his  own  quaran¬ 
tined  e-mails  twice  a  week  and,  “other  than 
a  newsletter  once  in  a  while,  there  is  rarely 
the  need  to  un-quarantine.” 


EVALUATION 

CRITERIA 

When  evaluating  antispam  sys¬ 
tems,  the  functional  capabilities 
that  should  be  considered  include 
the  following,  according  to  Peter 
Firstbrook,  an  analyst  at  Gartner: 

Antispam:  The  system  should 
provide  a  minimum  99.5%  spam- 
detection  rate,  with  fewer  than 
one  in  400,000  false  positives.  It 
should  also  provide  a  real-time 
reputation  system  that  silently 
drops  at  least  75%  of  spam  at 
the  SMTP  connection  (90%  for 
best-of-breed  solutions)  to  accom¬ 
modate  growing  spam  volumes. 

Antivirus:  This  includes 
signature-based  virus  analysis, 
file-attachment  analysis,  proac¬ 
tive  detection  methods,  a  data¬ 
base  of  known  risky  URLs  and  the 
ability  to  deal  with  zipped  files. 

Management  capabilities: 

An  effective  GUI  and  comprehen¬ 
sive  management  interface  will 
reduce  administrative  overhead. 
Advanced  capabilities  include  a 
wizard-type  installation  mecha¬ 
nism  with  optimal  default  settings; 
a  task-based  rather  than  feature- 
based  GUI;  automatic  configura¬ 
tion,  policy  synchronization  and 
centralized  quarantines  in  multi¬ 
box  deployments;  and  corporate 
allow-and-deny  databases. 

Reporting:  Advanced  tools 


Strang  says  he  appreciates  the  flexibil¬ 
ity  of  Proofpoint’s  message  digest  because 
he  can  manage  everything  right  from  the 
report  he  reviews  every  day.  “I  can  go  in  and 
manage  the  account  versus  just  getting  a  list 
telling  me  what  was  blocked.  I  can  go  out 
to  the  site  and  approve,  reject  and  unblock 
from  there.” 

DO  determine  detection  and  false  posi¬ 
tives  rate.  Unfortunately,  it’s  not  easy  to  get 
good  third-party,  independent  antispam 
testing  data,  on  par  with  what’s  available 
for  antivirus,  Blum  says.  “It’s  extremely 
difficult  to  do  testing  that  would  compare 
vendors,”  he  says.  What  customers  can  do 
is  try  to  compare  core  detection  and  false 


include  a  real-time  graphical 
and  table-based  dashboard; 
custom  and  consolidated 
reports;  and  a  database  for 
fast  report  queries  and  the 
ability  to  hold  historic  data. 

End-user  controls:  The 

amount  of  control  given  to  end 
users  will  depend  on  enterprise 
policy.  Controls  include  language 
support,  active  quarantine  sum¬ 
mary  digests,  spam  category 
threshold  adjustments  and 
personal  allow-and-block  lists. 

Policy  interface:  These 
should  be  user-friendly  and  intui¬ 
tive  for  nontechnical  personnel. 
Capabilities  include  a  printable 
summary  for  auditing,  reusable 
policy  objects  and  the  ability  to 
run  reports  on  hit  rates 
for  each  policy. 

DIP:  The  ability  to 
prevent  the  loss  of  sensitive 
data  is  a  key  differentiator. 

Encryption:  An  increasingly 
standard  feature  is  server-to- 
server  TLS  encryption.  More 
advanced  offerings  that  usu¬ 
ally  cost  extra  include  Secure 
Multipurpose  Internet  Mes¬ 
saging  Extensions,  OpenPGP 
or  Web-based  push-pull. 

Integration:  The  components 
with  which  it  may  be  desirable  to 
integrate  include  Web  gateways, 
DLP  solutions,  IM  hygiene  func¬ 
tionality  and  archiving  systems. 


positive  rates  by  talking  to  similar  custom¬ 
ers  who  might  have  similar  mail  flows,  or 
do  a  proof  of  concept. 

DO  look  for  Web  filtering  integration. 
Many  times,  e-mail  threats  are  blended 
threats  that  encourage  users  to  click  on  a 
URL.  For  that  reason,  Blum  says,  it’s  good 
for  the  antispam  system  to  include  a  Web 
filtering  capability  or  integrate  with  such  a 
system  so  it  can  check  the  reputation  of  that 
URL.  “That  kind  of  integration  is  fantastic,” 
he  says.  ■ 


Mary  Brandel  is  a  freelance  writer  based  out¬ 
side  Boston.  Send  feedback  to  Editor  Derek 
Slater  at  dslater@cxo.com. 


24  www.csoonline.com  February  2010 


;»  , 


Stop  fighting  security  and 
compliance  fires  oira  at  a  time. 

Start  deploying  integrated  data  protection  wi^h 
less  cost,  less  complexity  and  mor^ontrol. 


Join  us  at  the  2010  Security  Inside  Out  Sinfimit 
"Lowering  Costs  of  IT  Security  &  Compliance" 


Learn  how  to  meet  security  and  compliance  requirements  for  your 
databases,  middleware  and  applications  quickly,  easily  and  cost 
effectively.  Register  now  for  your  chance  to  discover  new  cost-cutting 
IT  security  approaches  based  on  insight  from  the  security  experts 
at  Oracle. 

Make  the  most  out  of  your  existing  IT  investments  with  a  strategic 
security-inside-out  afDproach  to  protecting  enterprise  information 
and  explore:  ^ 


Proven  practices  for  developing  a  cost-effective  end-to-end 
security  architecture 

Transparent  data  encryption  that  requires  no  changes  to 
existing  applications 

Effective  privileged  user  preventive  controls  and  insider 
threat  mitigation  ^ 

Solutions  for  automating  activity  monitoring,  auditing  and 
compliance  reporting 

Advances  in  securing  applications  and  assets  in  a  cloud 
computing  environment 


FREE  Half-Day  Event 

REGISTER  NOW:  www.networkworld.com/NWPA1 
Questions?  Call  (800)  643-4668 


This  event  is  limited  to  qualified  network  and  IT  professionals  as  determined  by  Network  World  and  CSO. 
All  registrations  will  be  reviewed  and  registrants  will  be  notified  of  their  attendance  status  promptly. 
Network  World  and  CSO  have  the  right  to  determine  total  audience  profile. 

REGISTER  TO  WIN!  You  could  win  a  $500  American  Express 
gift  card  when  you  attend.  Some  restrictions  apply. 


2010  SUMMIT  HIGHLIGHTS: 


Keynote  Address:  Security  Inside 
Out:  Lowering  the  Costs  of  IT 
Security  &  Compliance 

3  In-Depth  Information  Sessions: 

►  Cost-Effective  Enterprise  Data 
Security 

►  Secure  Your  Data  in  45  Minutes 

►  Securing  Cloud  with  Identity 
Management  and  Service-Oriented 
Security 


10-CITY  TOUR! 


Attendance  is  FREE  but  seating  is 
limited.  Register  now  for  a  summit 
near  you: 

January  19 

Jersey  City,  NJ 

January  21 

Boston,  MA 

January  26 

Chicago,  IL 

February  2 

Houston,  TX 

February  4 

Miami,  FL 

February  10 

Calgary,  Alberta 

February  11 

Seattle,  WA 

February  17 

San  Diego,  CA 

February  18 

Washington,  DC 

March  4 

Toronto,  Ontario 

www.networkworld.com/NWPA1 


Sponsored  by 


Produced  by 


CSO  utrwiMiKwiiiiLa 


20515 


HYUnoi 


COVER  STORY  |  PHYSICAL  SECURITY 


when  the  Ryder  van  blew  up  just  after  noon  on 

Feb.  26,  1993,  it  rocked  the  World  Trade  Center,  killing 
six  people,  wounding  more  than  a  thousand  and  leaving 
a  hole  more  than  100  feet  wide  in  the  ground.  Though  we 
now  know  it  mainly  as  a  failed  first  attempt  at  destroying 
the  World  Trade  Center  buildings,  the  incident  remains 
the  worst  event  involving  a  parking  garage  to  occur  in  the 
United  States. 

That  event  caused  a  significant  rethinking  of  how 
buildings  manage  their  parking,  particularly  what  kind  of 
vehicles  are  allowed  to  enter  underground  parking  facili¬ 
ties.  Coupled  with  the  massive  truck  bomb  that  hlew  up  the 
Alfred  P.  Murrah  building  in  Oklahoma  City  in  1995,  it’s 
little  wonder  that  high-profile  buildings  now  have  strin¬ 
gent  rules  about  who  can  park  near  them. 

Thankfully,  parking  bombs  are  rare.  If  you  type  varia¬ 
tions  on  “worst  parking  garage  disasters”  into  search 
engines,  you’ll  get  photos  of  embarrassingly  bad  parking 
jobs  or  a  video  of  a  driver  gunning  the  engine  instead  of  hit¬ 
ting  the  brake  and  accidentally  playing  monster  truck. 

Instead,  parking  plagues  CSOs  in  smaller  ways,  and 
close  to  a  thousand  times  every  day.  That’s  how  many 
muggings,  car  break-ins  and  other  crimes  occur  in  parking 
facilities  across  the  United  States  every  24  hours.  Parking 
security  incidents  rarely  involve  deaths, 
instead  having  a  kind  of  drip  effect  that 
can  wear  down  corporate  security  offi¬ 
cers.  Customers  who  have  incidents,  or 
hear  about  them,  look  askance  at  where 
they  are  shopping.  Employees  wonder 
about  their  employers.  It’s  CSOs’  job 
to  respond.  Their  most  effective  tools? 
“Visibility  and  surveillance  are  the  two  greatest  deterrents 
to  crime,”  says  Paul  Dubois,  executive  director  of  Tomasi- 
Dubois  and  Associates,  a  parking  security  adviser  in  Los 
Gatos,  Calif. 

E-Trade  found  this  out  firsthand  when  a  rash  of  “car 
clouts”— thieves  smashing  car  windows  and  taking  things 


Bob  Luca,  former  head  of 
security  for  E-Trade,  says  CSOs 
must  design  parking  security 
measures  in  accordance  with 
iocai  threats. 


Security  and  architecture 
have  to  work  hand-in-hand 
to  keep  parking  areas  safe. 
Here  are  the  fundamentals. 

By  Michael  Fitzgerald 


like  stereos  and  loose  items— occurred  at  complexes  where 
it  had  offices  in  Alpharetta,  Ga.,  and  Sacramento. 

“We  had  nohody  physically  attacked  and  no  incidents 
of  robberies,”  recalls  Bob  Luca,  E-Trade’s  head  of  physical 
security  from  1999  to  mid-2007.  “Just  car  clouts.  But  people 
were  very  upset  about  that.  Employees  want  to  feel  safe 
when  they  go  to  work.” 

Luca,  now  a  candidate  for  sheriff  in  California’s  El 
Dorado  County,  says  that  E-Trade  organized  a  multifaceted 
response.  He  was  able  to  get  local  law  enforcement  to  come 
take  reports  on  the  incidents,  which  Luca  says  can  be  dif¬ 
ficult  in  larger  jurisdictions  and  would  be  even  harder  to 
arrange  now,  given  economic  conditions. 

As  E-Trade  expanded  in  Sacramento  from  one  building 
to  five,  it  ran  into  other  parking  lot  issues.  The  lots,  which 
were  shared,  were  run  hy  the  company  that  managed  the 
building,  so  there  were  limits  to  what  E-Trade  could  do.  It 
could  not  put  cameras  on  light  poles,  for  privacy  reasons. 
It  could  not  erect  fencing.  It  could  and  did  put  cameras 
on  buildings  so  it  could  monitor  the  parking  lot  near  its 


Photo  by  Shannon  McIntyre 


February  2010  www.csoonline.com  27 


COVER  STORY  |  PHYSICAL  SECURITY 


entrances.  It  also  made  sure  that  lighting 
met  the  standards  specified  by  the  princi¬ 
ples  of  crime  prevention  through  environ¬ 
mental  design  (CPTED),  a  methodology 
that  develops  wide-ranging  guidelines  for 
implementing  design  features  intended  to 
deter  criminals. 

The  company  also  developed  and  began 
regularly  posting  items  about  better  park¬ 
ing  security  on  its  intranets.  These  post¬ 
ings  were  largely  commonsense  tips  such 
as,  Don’t  leave  packages  or,  heaven  forbid, 
notebook  computers  sitting  in  plain  sight  in 
a  car.  At  Christmastime,  it  sent  out  regular 
reminders  that  employees  should  not  leave 
wrapped  presents  or  shopping  bags  in  their 
vehicles  anywhere  they  could  be  seen. 

Luca  also  sent  his  security  personnel 
out  to  regularly  walk  the  parking  lots  and 
look  for  unusual  activity.  He  made  sure 
there  were  two  security  personnel  on  duty 
at  night,  and  employees  were  encouraged 
to  ask  for  escorts  to  their  cars.  He  worked 
to  build  strong  relationships  with  local  law 
enforcement  so  that  they  might  be  more 
likely  to  respond  to  incidents.  After  a  gang 
was  seen  near  remote  parts  of  the  lot,  he 
was  able  to  get  local  police  to  send  cruisers 
by  a  couple  of  times  a  day.  Although  securi¬ 
ty’s  workload  was  increased,  Luca  was  able 
to  restore  a  sense  of  safety  about  parking  to 
E-Trade  employees. 

Luca  could  have  faced  far  worse.  People 
have  been  kidnapped  and  even  murdered 
in  huge  public  parking  lots  at  malls  and 
casinos. 

Parking  Karma 

Parking  lots  represent  just  one  of  the  kinds 
of  parking  a  company  may  have,  along  with 


underground  and  aboveground  parking 
structures.  Each  create  their  own  security 
challenges. 

All  CSOs  must  look  at  parking  in  con¬ 
text  of  operations.  Basic  questions  include: 

■  Where  are  the  facilities  located? 

■  Do  organizations  that  use  the  parking 
areas  conduct  sensitive  research  or 
host  emotionally  charged  situations,  a 
la  courthouses? 

■  Does  the  organization  control  its  own 
parking? 

■  Does  the  general  public  have  access  to 
the  parking  facilities? 

■  Can  parking  be  built  anew,  or  is  it 
already  in  place? 

■  What  are  local  ordinances? 

Answering  these  questions  will  help 

CSOs  figure  whether  their  security  risks 
around  parking  fall  in  the  low,  medium, 
high  or  “special”  category.  “The  kind  of 
criminal  activity  surrounding  your  site 
determines  the  level  of  security  you  want 
in  your  structure,”  says  R.  Bruce  Ramm, 
president  of  Security  Design  Concepts  in 
Orange,  Calif.  Ramm  recommends  check¬ 
ing  with  local  police,  who  will  have  block- 
by-block  crime  statistics,  instead  of  relying 
on  general  information  for  a  larger  area. 

A  high-security  facility  requires  scan¬ 
ning  cameras,  people  to  watch  those  cam¬ 
eras,  and  regular  security  patrols,  which 
can  add  $200  to  $300  per  space  per  year  to 
corporate  costs. 

The  “special”  category  might  include 
iconic  buildings.  Federal  buildings  in  gen¬ 
eral  have  higher-risk  profiles  than  their 
nongovernmental  counterparts— a  parking 
garage  next  to  a  Veterans  Administration 
building  has  higher  security  requirements 


than  one  next  to  a  civilian  hospital,  for 
example.  Buildings  like  courthouses  and 
laboratories,  especially  animal  laborato¬ 
ries,  will  have  higher-risk  profiles  than 
plain  vanilla  corporate  offices,  says  Mary 
S.  Smith,  senior  vice  president  of  Walker 
Parking  Consultants  in  Indianapolis.  She 
has  also  served  on  panels  that  established 
CPTED  guidelines. 

CSOs  also  need  to  look  at  the  benefits 
of  both  “passive”  security  techniques,  such 
as  lighting  and  fencing,  and  “active”  ones, 
such  as  security  patrols. 

Finally,  it’s  best  to  overdesign  from 
the  start.  Even  if  a  parking  facility  doesn’t 
need  surveillance  cameras  or  panic  but¬ 
tons  right  now,  it’s  cheap  to  design-in  the 
conduits  needed  to  add  them  if  the  neigh¬ 
borhood  changes  for  the  worse.  Including 
them  when  the  strucutre  is  first  built  will 
run  perhaps  a  few  thousand  dollars  total- 
small  potatoes  compared  to  the  $15,000  to 
$20,000  per  space  a  parking  garage  can 
cost— but  trying  to  retrofit  an  existing 
structure  can  get  very  costly,  very  quickly. 

Parking  Lots 

Parking  lots  present  the  lowest  risk  of 
a  bomb  threat,  since,  as  Wilson  notes,  a 
shock  wave  from  a  bomb  in  a  parking  lot 
will  radiate  in  all  directions,  reducing  the 
damage  it  can  do.  The  big  issue  for  parking 
lots  comes  from  trying  to  keep  people  and 
cars  visible.  Large  lots  like  those  at  shop¬ 
ping  centers  create  problems  because  it’s 
difficult  to  see  the  whole  area,  even  with 
closed-circuit  cameras,  especially  at  night. 
Some  malls  have  both  lots  and  garages, 
which  have  lower  visibility  than  lots  alone 
unless  they’re  properly  designed. 


28  www.csoonline.com  February  2010 


Photos  courtesy  Bob  Luca 


»  Bright  lighting,  clear  signage, 
unobstructed  sight  lines,  well-positioned 
fencing  and  appropriate  surveillance 
are  elements  of  well-designed  parking 
facilities.  Security  and  safety  needs 
must  be  coordinated-and  for  many 
businesses,  aesthetics  are  also 
important. 


Putting  up  fencing  or  hedges  around 
the  perimeter  of  a  parking  lot  can  make  it 
harder  for  people  on  foot  to  get  in,  but  it  also 
adds  costs,  and  many  fences  are  ugly.  Plus, 
if  you’re  a  retailer,  you  typically  want  your 
parking  lots  easily  accessible.  Open  park¬ 
ing  means  pedestrians,  too,  can  get  to  stores. 
Installing  fencing  and  traffic  gates  can  help 
limit  foot  traffic,  but  it  can  also  cause  traf¬ 
fic  problems.  Randall  Atlas,  vice  president 
of  Atlas  Safety  and  Security  Design  in  Fort 
Lauderdale,  Fla.,  says  it  comes  down  to 
the  value  of  an  investment.  He  notes  that 
a  mall  parking  lot  in  Boca  Raton  has  seen 
a  double  murder  and  a  kidnapping  in  the 
past  few  years,  “and  the  middle-  and  upper- 
class  moms  stopped  going.”  In  contrast,  he 
pointed  to  a  mall  in  Miami  that  maintains  a 
secure  perimeter,  with  guards  and  patrols, 
and  says  it’s  seen  as  the  place  where  the 
wealthy  can  safely  shop. 

For  small  parking  lots  near  an  office 
building  or  small  retail  operations,  check 
with  local  police  on  crime  statistics  within 
a  one-  or  two-block  area.  This  will  help 
you  gauge  what  risks  customers  and 
employees— and  their  cars— will  face  when 
parking. 

Brighter  lights  and  stripes  of  reflective 
paint  offer  the  most  cost-effective  ways  to 
improve  security  in  small  lots.  “The  per¬ 


ception  that  a  lot  is  unsafe  generally  comes 
from  low  lighting,”  says  Dubois. 

For  large  lots.  Noli  Alarcon,  vice  presi¬ 
dent  of  engineering  at  Timothy  Haahs  and 
Associates  in  Blue  Bell,  Pa.,  says  CSOs 
should  plan  to  employ  security  guards 
who  patrol  lots,  either  in  vehicles  or  on  foot. 
Cameras  and  people  to  monitor  them  also 
make  sense,  and  he  suggests  that  sidewalks 
can  help  reduce  security  issues. 

In  general,  if  a  lot  is  already  well  lit  and 
has  good  surveillance  cameras,  another 
way  to  beef  up  its  security  is  to  add  active 
security  personnel,  says  Dubois.  “The  key 
is  good  response”  to  incidents,  he  says. 

Security  Principles  for  Parking 
Garages  and  Structures 

Atlas  says  the  basics  for  parking  garages  are 
access-control  gates,  cameras,  card  readers, 
control  boxes  and  an  intercom,  as  well  as 
blue  light  or  “panic  button”  systems. 

Try  not  to  put  interior  walls  in  the  struc¬ 
tures  because  such  walls  make  good  hiding 
places,  advises  Alarcon.  Interior  staircases 
also  provide  a  haven  for  muggers,  so  he 
recommends  that  stairs  be  surrounded 
by  glass  so  people  are  visible  inside  them. 
Likewise,  elevators  should  be  open  and 
have  a  glass  back,  and  lobbies  should  also 
be  open.  Alarcon  says  he  always  considers 
whether  he’d  feel  comfortable  if  his  teenager 
were  parking  in  a  structure  he  designed. 

Fencing  around  the  first  floor  provides 
a  good  low-level  security  tool,  since  it  will 
force  foot  traffic  through  the  car  entrance, 
which  can  be  staffed.  For  higher-security 
facilities,  a  brick  wall  on  the  first  floor  is 
harder  to  penetrate  than  a  fence,  and  a 
level  of  fencing  can  be  installed  on  top  of  it 


to  thwart  the  use  of  ladders.  Anti- climbing 
fencing  and  walls  that  tilt  outward  can  be 
used  to  secure  upper  floors. 

High-security  buildings  at  a  facility 
like  a  VA  hospital  require  that  a  bomb  not 
cause  the  parking  structure  to  collapse  into 
the  hospital.  A  40-foot-high  parking  struc¬ 
ture  either  has  to  be  40  feet  from  the  hos¬ 
pital  or  needs  to  have  a  blast  wall.  No  blast 
wall  can  withstand  a  bomb  like  that  used 
in  Oklahoma  City,  so  staff  must  be  trained 
to  monitor  for  these  in  the  entrances.  In  a 
mixed-use  garage,  some  of  the  floors  can 
be  restricted  to  employee  parking,  limiting 
the  potential  for  cars  to  be  broken  into  or 
assaults  to  occur. 

Underground  Parking 

Underground  garages  have  the  potential 
to  create  the  most  security  problems.  The 
1993  World  Trade  Center  bombing  changed 
attitudes  toward  these  facilities.  “That  was 
a  catalyst  to  realize  you  can  bring  down  an 
entire  high-rise  if  you’re  not  paying  atten¬ 
tion  to  what’s  going  on  in  your  garage,”  says 
Dubois. 

In  general,  underground  garages  lack 
open  sight  lines,  have  enclosed  staircases 
and  require  so  many  internal  walls  that  it’s 
costly  to  install  enough  cameras  to  keep  an 
eye  on  all  parts  of  the  garage.  But  in  densely 
populated  areas,  sometimes  down  is  the 
only  way  to  go  to  get  parking. 

The  same  security  principles  apply  gen¬ 
erally  in  underground  garages  as  in  park¬ 
ing  structures.  ■ 

Michael  Fitzgerald  is  a  frequent  contributor  to 
CSO.  Send  feedback  to  Editor  Derek  Slater  at 
dslater@cxo.com. 


February  2010  www.csoonline.com  29 


CONVERGENCE 


The  Cyber/ 
Location  Nexus 


WHEN  THE  SCIENCE  fiction  author  Wil¬ 
liam  Gibson  popularized  the  term  “cyber¬ 
space”  in  the  early  1980s,  it  was  a  reference 
to  an  otherworldly  domain,  a  parallel  uni¬ 
verse  in  which  people’s  real-world  lives  had 
become  inextricably  linked  through  the 
virtual  web  created  by  networked  comput¬ 
ing’s  omnipresence  in  their  lives.  In  these 
intertwined  universes— actual  and  com¬ 
puter-generated— Gibson  had  envisioned 
a  domain  in  which  nefarious  actors  could 
harness  the  cyber  domain  to  manipulate, 
harm  and  even  destroy  ideas  of  economic, 
social  and  cultural  value  that  had  been 
either  created  or  stored  in  cyberspace. 

Surely,  in  some  important  respects,  Gib¬ 
son’s  vision  has  been  realized.  Our  society’s 
dependence  on  cyberinfrastructure,  and 
the  extent  to  which  everyday  people  have 
become  beings  embedded  in  (and  reliant  on) 
networked  computing  and  communication, 
have  raised  cybersecurity  to  a  presidential 
concern.  In  the  first  several  months  of  the 


What  happens 
when  the  once- 
unanchored  world  of 
cyberspace  collides 
with  geolocation? 
Christopher  Tucker 
looks  at  the  effects 
on  art,  privacy, 
security  and  more. 

Obama  administration,  we  have  seen  the 
leader  of  the  free  world  make  a  top  priority 
of  the  need  to  protect  what  Gibson,  nearly 
30  years  ago,  foresaw  as  a  dominant  feature 
in  the  landscape  of  our  civilization’s  future. 

Something  happened  to  the  modern 
world,  contemporaneously  with  this  cyber 


transformation,  that  was  not  a  part  of  Gib¬ 
son’s  original  vision  but  which  he  placed  at 
the  center  of  Spook  Country,  his  most  recent 
novel:  the  location- enablement  of  every¬ 
day  life.  The  concept  animating  this  novel 
is  that  the  cyber  domain  transmits  digital 
content  into  the  complex  urban  terrain  of 
the  real  world,  requiring  people  to  have 
a  mastery  of  Global  Positioning  System 
(GPS)  technology  and  wearable  human- 
computer  interfaces,  and  shaping  the  ways 
they  interact  with  content  generated  in  the 
virtual  worlds  of  the  cyber  domain. 

Gibson’s  story  operates  at  what  I  like  to 
call  the  cyber/location  nexus.  He  artfully 
weaves  several  location-enabled  story  lines 
together,  which  not  only  emphasizes  the 
extent  to  which  his  original  vision  of  the 
cyber  domain  has  come  to  pass,  but  also 
shines  a  light  on  how  real-world  location 
can  be  the  anchor  for  cyber  content  and 
cyber  experiences.  On  the  flip  side,  Gibson 
also  showed  how  events  in  the  real  world. 


30  www.csoonline.com  February  2010 


CONVERGENCE 


through  location-enabled  technologies,  can 
be  tracked  and  monitored  in  cyberspace. 
This  melding  of  the  two  worlds,  that  of  the 
cyber  domain  and  the  real  world  (where 
geospatial  location  matters),  not  only 
makes  for  great  science  fiction  and  great 
intrigue,  but  it  also  marks  a  historic  inflec¬ 
tion  point  where  the  cyber  domain  and  the 
real,  physical  world  were  understood  to 
converge  in  popular  culture. 

The  Dual  Revolutions 
Fueling  the  Nexus 

while  Gibson  is  a  recent  arrival  to  the  cyber/ 
location  nexus,  the  geospatial  revolution 
actually  began  just  when  the  cyber  revolu¬ 
tion  did.  The  Cold  War  (and  its  corollaries, 
the  space  race.  Keyhole  satellite  reconnais¬ 
sance  and  nuclear  command-and-control) 
was  the  impetus  for  massive  investment  by 
the  Department  of  Defense  and  the  intel¬ 
ligence  community  in  ambitious  new  tech¬ 
nologies,  which  brought  about  what  can  be 
thought  of  as  the  Cyber  Revolution  and  the 
Geospatial  Revolution.  While  these  dual 
revolutions  are  each  complex  and  involve 
complementary  and  intersecting  technolo¬ 
gies,  it  is  instructive  to  examine  the  govern¬ 
ment’s  investments  in  ARPAnet  and  in  the 
Global  Positioning  System. 

In  the  wake  of  Sputnik,  the  DoD 
founded  the  Advanced  Research  Projects 
Agency  (ARPA)  in  1958,  giving  it  the  mis¬ 
sion  of  ensuring  the  American  military’s 
technological  dominance.  One  of  ARPA’s 
early  projects  was  ARPAnet,  an  experi¬ 
ment  in  computer  networking  and  com¬ 
munications  that  promised  to  provide 
resilient  nuclear  command-and-control. 
Vint  Cerf,  who  is  now  Google’s  chief  Inter¬ 
net  evangelist,  was  the  ARPAnet  program 
manager  and  responsible  for  both  the  32-bit 
IPV4  namespace  (192.168.0.1,  anyone?)  and 
the  TCP/IP  protocol  that  are  at  the  core  of 
today’s  cyberinfrastructure.  In  important 
ways,  Cerf  was  Gibson’s  muse.  ARPAnet 
planted  a  seed  that  has  grown  into  the 
global  cyberinfrastructure  that  permeates 
modem  life.  During  that  period  of  growth, 
the  imaginations  of  some  of  the  world’s 
brightest  minds  were  captured  by  the  tem¬ 
plate  that  Cerf  and  his  team  created  and  by 
the  patterns  of  future  life  that  Gibson  saw 
Cerf’s  template  enabling.  This  led  to  four 
decades  of  innovation  that  fundamentally 
shaped  modem  life,  and  the  fruits  of  this 


ingenuity  have  become  essential  to  every¬ 
day  people  and  the  basic  institutions  of  civi¬ 
lization.  The  Cyber  Revolution  played  out 
in  a  very  public  manner,  with  all  of  Western 
society  watching  with  great  anticipation. 

But  every  revolution  is  different,  and 
the  Geospatial  Revolution  began  in  secrecy. 
It  was  sparked  by  GPS,  the  space-based 
“position  and  timing”  solution  designed 
and  deployed  by  the  American  defense  and 
intelligence  communities  during  the  Cold 
War.  GPS  served  as  a  “secret  sauce”  in  a 
wide  array  of  defense  technologies,  provid¬ 
ing  highly  accurate  geopositioning  infor¬ 
mation  for  Keyhole  spy  satellite  imagery, 
precision  munitions,  satellite  positioning, 
missile  guidance  and  military  navigation. 
Location  is  acutely  relevant  in  matters  of 
national  security. 

What  is  important  to  grasp,  but  what  is 
commonly  misunderstood,  is  that  a  GPS 
receiver  does  not  tell  you  where  you  are. 
The  receiver  determines  your  location  using 
information  that  is  streamed  by  a  constel¬ 
lation  of  24  satellites  that  derive  their  own 
locations  from  atomic  clocks  and  a  whole 
lot  of  math  based  on  Einstein’s  general  the¬ 
ory  of  relativity.  So,  it  is  a  complex  system  of 
position  and  timing,  communications  and 
computing  technologies  that  allow  you  to 
figure  out  your  location  and  broadcast  it  to 
the  world.  Just  imagine  the  highly  advanced 
technology,  and  aU  the  graduate-level  math¬ 
ematics,  required  to  determine  the  position 
and  orientation  of  a  spy  satellite  so  that  it 
can  be  used  to  inform  an  intelligence  ana¬ 
lyst,  upon  spotting  a  sought-for  vehicle  in  a 
satellite  image,  where  exactly  on  the  face  of 
the  Earth  a  particular  bad  guy  is  located. 

But  what  was  once  impossibly  complex 
national  security  technology  has  rapidly, 
though  stealthily,  become  an  element  of 
everyday  life.  After  the  USSR  shot  down  a 
commercial  airliner  that  strayed  into  pro¬ 
hibited  airspace.  President  Reagan  issued 
a  directive  making  GPS  freely  available 
for  civilian  use.  Today,  as  everyone  knows, 
the  technology  permeates  modem  life  with 
GPS-enabled  phones,  cars,  personal  navi¬ 
gation  devices,  cameras  and  other  devices. 

The  Geospatial  Revolution,  compared 
to  the  Cyber  Revolution,  was  relatively 
quiet.  GPS  was  designed  for  use  in  national 
security  matters  and  only  slowly  made  its 
way  out  to  the  public.  Certainly,  geospatial 
technologies  of  all  kinds  have  been  around 


for  quite  some  time,  supporting  a  relatively 
small  community  of  geospatial  specialists. 
One  can  Google  the  professions  of  photo- 
grammetry,  geodesy,  remote  sensing,  and 
GIS  to  see  that  digital  mapping  and  geospa¬ 
tial  technologies  have  long,  rich  histories. 
But  it’s  only  fairly  recently  that  everyday 
life  has  been  transformed  by  location-  or 
geo-enablement.  This  is  due  to  the  exten¬ 
sive  and  ever-increasing  incorporation  of 
GPS  technology  into  everything.  The  GPS 
constellation  has  become  a  public  utility, 
and  GPS  chips  have  become  commodities 
that  designers  are  increasingly  apt  to  add 
to  new  devices  by  default. 

Two  Revolutions 
Walk  Into  a  Bar... 

If  we  reduce  the  Cyber  Revolution  to  the 
ubiquitous  IP- enablement  that  has  seized 
the  modern  world,  and  if  we  reduce  the 
Geospatial  Revolution  to  a  quip  from  the 
PBS  documentary  of  the  same  name,  “The 
location  of  anything  is  quickly  becoming 
everything,”  we  are  then  left  to  ponder 
the  impact  of  these  revolutions  combining 
forces.  Because,  indeed,  these  dual  trends 
of  IP-  and  geo-enablement  are  merging.  It 
seems  that  everything  will  eventually  be 
IP-enabled,  bringing  to  life  the  Cerf/Gibson 
paradigm  of  a  near  fusion  of  the  cyber  and 
physical  worlds.  Completing  this  fusion 
will  be  the  fact  that  all  of  these  cyber-  or 
IP-enabled  gadgets  will  also  be  location- 
or  geo-enabled.  These  two  revolutions 
are  unwittingly  combining  forces  because 
cyberconnectivity  and  location-awareness 
independently  have  functional  value  to  us 
in  national  defense,  business  and  life.  This 
obvious  value  has  necessitated  both  public 
and  private  investment  of  epic  proportions. 
And  as  these  dual  trends  converge  to  a 
nexus,  something  new  is  happening. 

In  Spook  Country,  Gibson  introduced 
the  notion  of  locative  art  (also  known  as 
locative  media)— think  of  large  modern  art 
installations  that  are  conceived  and  crafted 
in  virtual  space  and  projected  onto  the 
real-world  terrain,  oriented  and  anchored 
by  GPS  but  only  viewable  through  a  spe¬ 
cial  set  of  GPS-enabled  goggles.  Imagine 
if  such  a  rich  addition  to  the  culture  were 
vulnerable  to  backing,  and  thus  defacement 
or  destruction,  and  think  of  the  value  that 
would  be  lost  to  a  particular  geography  (for 
example,  a  property  or  a  community)  as  a 


32  www.csoonline.com  February  2010 


SECURITY 


TM 


NEWSLETTER 


Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
for  distribution  to  your  employees — saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets — will  read 
and  retain  the  information. 


y 


fTk,  . 


i 


Subscribe  today! 


/  «/enn  ”***fain 


Ty 


^No 


Wa/e, 


To  view  a  sample  issue  of  the  newsletter,  learn  about  the 
delivery  options  and  to  subscribe  visit: 

www.SecuritySmartNewsletter.com 


/  l^n 


fie, 


’  iwi 


! 


I 


I?? 


;CVy 


®»«T  , 


For  more  information  please  visit 

www.SecuritySmartNewsletter.com 

Security  Smart  is  published  by  CSO,  a  business  unit  of  CXO  Media.  ©  2007  CXO  Media  Inc. 


BUSINESS  RISK  LEADERSHIP 


CONVERGENCE 


result  of  that  kind  of  vandalism,  even  if  only 
the  people  jacked  into  cyberspace  through 
location-enabled  goggles  would  know  to 
miss  it. 

While  not  as  literary,  the  vulnerabili¬ 
ties  that  exist  at  the  cyber/location  nexus 
become  much  more  disturbing  as  they 
reach  out  to  us  in  the  real  world— the  world 
in  which  our  corporeal  bodies  live,  love  and 
die.  You  can  think  of  all  of  these  IP-  and  geo- 
enabled  devices  as  sensors,  each  capable  of 
making  some  sort  of  observation  over  some 
part  of  the  Earth  and  perhaps  attached  to 
some  sort  of  control  point  or  process.  This 
might  be  as  trivial  as  an  IP  webcam  that  has 
a  GPS-derived  location  and  a  gyroscope 
detecting  the  pitch,  yaw,  roll  and  angle  of 
view  that  together  characterize  a  very  spe¬ 
cific  and  geospatially  precise  chunk  of  the 
Earth.  Or  networked  thermostats  installed 
across  a  corporate  campus,  marshaling 
HVAC  resources  to  various  locations  based 
on  the  occupant’s  designated  settings.  It 
could  be  network- accessible  imagery  satel¬ 
lites,  Predator  drones,  security  access  con¬ 
trols,  stream  gauges,  traffic  monitors,  ocean 
buoys,  automobiles,  SCADA  systems,  asset 
management  systems  or  mobile  computing 
devices.  Yes,  it  could  be  your  BlackBerry  or 
iPhone.  As  IP-  and  geo-enablement  prolif¬ 
erate,  this  list  simply  gets  longer.  As  they 
are  IP-enabled,  each  one  becomes  vulner¬ 
able  to  hacking,  and  when  they  are  also 
location-  or  geo-enabled,  they  become  sus¬ 
ceptible  to  “space-time  hacking.” 


You  can  think  of 
all  of  these  IP- 
and  geo-enabled 
devices  as  sensors^ 
each  capable  of 
making  some  sort 
of  observation  over 
some  part  of  the 
Earth,  and  perhaps 
attached  to  some 
sort  of  control  point 
or  process. 


The  Dawn  of 
**Space-Time  Hacking** 

Many  everyday  users  of  the  World  Wide 
Web  have  stumbled  across  a  website  capable 
of  taking  their  IP  address  and  telling  them 
the  city  they  live  in.  So,  to  some  extent,  it  has 
seeped  into  the  popular  consciousness  that 
one  could  locate  an  individual  based  on  his 
unique  address.  But  until  now,  this  map¬ 
ping  of  the  cyber  to  the  physical  world  has 
been  of  little  consequence  unless  you  are 
worried  about  stalkers  or  law  enforcement. 

The  worst  consequences  a  hacker  could 
mete  out  by  infiltrating  an  IP-enabled 
device  is  the  loss  of  your  data,  the  perma¬ 
nent  death  of  your  computer,  the  theft  of 
your  identity  or  the  denial  of  a  cyberspace 
service  that  you  depend  on.  While  admit¬ 
tedly  these  are  serious  consequences  that 
you  should  vigilantly  seek  to  avoid,  the 
threats  at  the  cyber/location  nexus  make 
these  look  tame. 

Let’s  look  at  the  world  once  it  sits  firmly 
at  the  cyber/location  nexus— from  the  per¬ 
spective  of  a  nefarious  actor.  The  cyber 
domain  will  have  evolved  into  a  medium 
through  which  bad  actors  can  reach  every 
IP-enabled  resource  (which  at  this  point 
would  be  virtually  everything  that  mat¬ 
ters)  within  any  particular  geography,  with 
precision  geopositioning,  and  choose  to 
either  exploit,  manipulate  or  destroy  each 
individual  or  class  of  resource.  Such  foes 
will  in  effect  have  the  ability  to  harness  the 
functional  power  of  the  convergence  of  IP- 
and  geo -enablement  against  anyone  at  a 
time  and  place  of  their  choosing. 

Just  imagine  being  able  to  exfiltrate, 
undermine,  alter  or  end  all  networked  com¬ 
puting  within  any  arbitrarily  small  or  large 
geography,  at  any  moment  in  time,  for  any 
period  of  time,  particularly  during  moments 
at  which  vital  interests  are  at  stake.  In  a 
national  security  context,  one  might  term 
this  a  “denial  of  mission.”  But  with  such  a 
rich  resource  to  hack,  the  imagination  reels 
at  the  idea  of  inventing  names  for  all  the 
opprobrious  deeds  bad  actors  could  perpe¬ 
trate  against  commercial  and  noncommer¬ 
cial  activities  in  the  private  sphere. 

In  essence,  the  cyber/location  nexus 
serves  as  a  comprehensive,  geospatially- 
enabled  “reverse-lookup”  targeting  infra¬ 
structure  that  allows  an  asymmetric 
adversary  to  quickly  marshal  all  IP  end¬ 
points  (which  are  all  cyber  vulnerabilities). 


fixed  and  mobile,  within  any  arbitrary  geog¬ 
raphy  at  any  moment  in  time.  Along  with 
these  endpoints,  the  adversary  wiU  be  able 
to  quickly  gather  sufficient  information 
about  these  assets  to  categorize  and  priori¬ 
tize  them  within  an  order  of  battle  specially 
designed  for  his  particular  purposes.  It  wiU 
not  just  be  a  brute-force  denial  of  mission. 
It  wiU  allow  for  surgical  precision. 

At  the  nexus,  one  can  easily  imagine  a 
hacker  denying  mobile  communications  to 
response  personnel  within  an  area  before 
shutting  down  a  mission-  or  business- 
critical  facility  by  toying  with  its  HVAC 
and  setting  off  its  alarm  system,  then  shut¬ 
ting  down  the  traffic  signals  on  some  key 
chokepoint  intersections,  complicating  the 
personnel  evacuation,  all  while  monitor¬ 
ing  the  manufactured  event  over  his  tar¬ 
get’s  surveillance  cameras  and  streaming 
spoofed  camera  footage  to  the  target’s  secu¬ 
rity  forces,  in  order  to  maximize  the  casu¬ 
alties  from  a  remotely  controlled  chemical 
attack  in  that  exact  location.  It  doesn’t  take 
much  effort  to  imagine  something  consid¬ 
erably  worse. 

Widening  the 
Cyber  Aperture 

Clearly,  in  this  day  and  age,  cybersecurity 
should  be  a  major  priority  of  the  president. 
The  White  House’s  recent  6o-day  cyberse¬ 
curity  review,  while  a  good  start,  has  faded 
to  envision  the  world  as  it  wiU  be  when  the 
cyber/location  nexus  comes  to  full  fruition. 

The  Gibson/Cerf  paradigm  has  now 
evolved  to  encompass  the  cyber/loca¬ 
tion  nexus,  and  as  their  complementary 
worldviews  have  done  in  the  past,  they  will 
inspire  a  new  wave  of  beneficial  innovation 
that  public  policy  can  only  hope  to  keep  up 
with.  They  will  also  inspire  a  new  wave  of 
villainy. 

In  this  context,  it  is  important  that  the 
president  adopt  a  strategy  in  tune  with  a 
future  in  which  the  cyber  domain  could 
serve  as  a  pathway  that  increases  our 
adversaries’  abilities  to  fight  a  war,  or  just 
cause  a  whole  world  of  hurt,  at  a  time  and 
place  of  their  choosing.  ■ 


Dr.  Christopher  K.  Tucker  is  the  found¬ 
ing  chief  strategic  officer  of  In-Q-Tel,  the 
CIA’s  venture  capital  fund,  and  a  board 
member  of  the  U.S.  Geospatial  Intelligence 
Foundation. 


34  www.csoonline.com  February  2010 


1 10i 


Open  Source  Business  Conference 

March  17-18, 2010  •  The  Palace  Hotel  •  San  Francisco,  CA 

The  focus  of  this  year's  conference,  Leveraging  Open  Source 
Through  the  Enterprise  and  Beyond  the  Firewall  creates  a 
great  opportunity  to  delve  into  a  rich  cache  of  thought  leadership, 
compelling  success  stories,  monetizing  plans  and  legal  insights 
from  respected  open  source  industry  experts.  At  OSBC  2010, 
we'll  reveal  the  latest  strategies  for  putting  open  source  to 
work  in  your  organization  with  tracks  tailored  to  the  needs  of  IT 
executives,  business  leadership  and  the  legal  community. 


Here's  an  early  preview  of  what  you'll  gain  by  attending  OSBC: 

Learn  how  innovators  like  Google  and  Somerset  Capital  have  used  open 
source  as  a  core  component  to  boost  productivity  and  increase  business 
innovation 

Find  winning  strategies  for  building  applications  and  services  with  open 
source  software 

Discover  the  benefits  of  cutting-edge  next-generation  Web  applications 
Navigate  the  legal  landscape  as  open  source  shifts  to  customer-facing 


REGISTER  BY  FEBRUARY  ! 

SAVE  UP 
TO  40% 

ON  YOUR  REGISTRATION. 

www.osbc.com/PAJan 


Just  Announced: 

Tim  O'Reilly 

President,  O'Reilly  Media 
on  "The  Real  Open  Source 
Opportunity" 

Featured  Presenters  Include: 
David  Recordon 

Head  of  Open  Source  Initiatives, 
Facebook 


Web  services. 

Plus,  much  more 

Join  us  in  San  Francisco  for  OSBC  2010  and  benefit  from  the  knowledge  and  experience 
of  Open  Source  entrepreneurs  to  CIO's  who  are  mining  open  source's  rich  potential  in 
their  own  companies. 

PLATINUM  SPONSORS  fl  GOLD  SPONSORS 

MlGtOSOft^  North  Bridge 


m.  redhat.  oraclg 


[  undercover] 

By  Anonymous 


From  the  CIO:  Why  You 
Didn’t  Get  the  CISO  Job 

The  previous  Undercover  columnist  lamented  the  state  of  security 
hiring.  Here’s  a  response  from  the  other  side  of  the  desk. 


ear  Anonymous, 

It  was  fascinating  to  read 
your  thoughts  about  our 
recent  conversation  in  CSO 
(see  “The  Many  Challenges 
of  Finding  Work  as  a  CISO/CSO,”  Under¬ 
cover  column,  October  2009).  And  when 
I  say  “fascinating,”  I  mean  in  the  sense 
of  watching  Nascar:  a  lot  of  predictable 
left  turns  and  some  really  embarrassing, 
squirm- inducing  shots  of  the  fans. 

I  do  like  you,  I  think  you’re  a  nice  guy, 
and  so  I  wanted  to  give  you  some  feed¬ 
back  about  the  interview  process  and 
what  you’re  going  to  need  to  change  to  be 
successful.  I  don’t  think  you’re  going  to 
enjoy  reading  this.  But  maybe  some  of 
those  hours  that  you’re  spending  maintain¬ 
ing  that  “vast  database”  of  yours  could  be 
better  spent  understanding  why  we  hired 
someone  who  understands  they’re  an 
engineer. 

But  before  I  get  into  that:  There  is  no 
small  talk  in  interviews.  Do  you  get  drunk 
at  interview  dinners,  too?  You  blew  it  in  the 
first  two  phone  screens;  I’m  going  to  teU  you 
how,  and  I’m  going  to  use  your  words  and 
explain  what  I  thought  when  I  read  them. 
Quote; 

“Is  it  the  misconception  that  companies 
don't  really  know  or  understand 
the  enormous  value  that  the  CISO/ 

CSO  can  bring  to  the  table?” 

It’s  not  our  job  to  understand  that;  it’s 
your  job  to  demonstrate  it.  To  demonstrate 
it,  to  make  it  real  every  single  day.  CSOs 
keep  talking  about  value,  but  let  me  clue 
you  in  on  something:  The  economy  is  in  a 
recession.  What  brings  value  is  sales  and 
cost  reductions.  Sales  come  from  marketing 


and  new  products.  Those  boost  the  top  line. 
Cost  reductions— things  like  firing  a  CSO— 
help  the  bottom  line.  Oh,  sure,  we  might 
have  a  few  more  hackers  get  through,  but 
everyone  has  hackers.  All  my  friends  with 
CSOs  reporting  to  them  are  infested  with 
viruses,  spam  and  hackers,  and  they  lose 
laptops,  too.  So  show  me  this  “enormous 
value”  in  the  first  five  lines  of  your  resume. 
For  example:  “I  saved  my  last  employer  30 
percent  in  fraud  executed  against  our  web¬ 
site,  delivering  the  project  under  budget 
and  on  schedule.” 


Stop  hyperventilating.  You  want  execu¬ 
tive  rewards?  Deliver  executive  value. 

Next  quote: 

“This  characteristic  pattern 
[placing  a  CSO  job  on  hold]  is 
directly  responsible  for  the  myriad 
security  breaches  happening 
at  many  organizations.  ” 

Really?  Directly  responsible?  Let  me  tell 
you  how  we  use  the  words  “directly  respon¬ 
sible”  in  business.  We  mean  causative  or  we 


36  www.csoonline.com  February  2010 


Illustration  by  Jason  Schneider 


mean  it  happened  on  your  watch. 

Are  you  telling  me  that  SQL  injection 
happens  because  attackers  notice  a  job 
posting?  That  the  day  we  made  that  choice, 
we  got  attacked  again?  From  where  I  sit, 
breaches  happen  because  our  users  make 
mistakes,  because  our  developers  put  a 
copy  of  the  friggin’  customer  database  on  a 
laptop  or  because  our  auditors  don’t  tell  us 
a  damned  thing  about  what’s  wrong.  They 
happen  because  security  wonks  tell  us  that 
we  need  to  do  all  this  PCI  stuff,  but  once 
we’ve  done  it  we’re  still  not  secure.  And 
again,  I  take  a  look  at  all  these  breaches,  and 
they  don’t  seem  to  hit  just  the  companies 
without  a  CSO.  So  Joseph,  our  CEO,  thinks 
that  we  can  give  you  a  salary  or  not,  and 
we’re  gonna  get  shafted  either  way.  Let  me 
talk  about  what  that  shafting  really  means, 
because  the  next  few  things  you  said  indi¬ 
cate  some... confusion. 

Next  quote: 

“Don't  they  know  that  one  serious 

breach  can  jeopardize  the 

existence  of  their  business...  ?” 

No,  we  don’t.  We  know  that  Lehman 
Brothers  didn’t  dissolve  because  of  any  of 
their  breaches.  We  know  that  GM  didn’t  go 
bankrupt  because  of  information  security 
issues.  We  know  that  most  of  the  thou¬ 
sands  of  businesses  who  have  gone  under 
in  this  recession  didn’t  blame  it  on  security. 
Wait,  wait,  don’t  tell  me.  You’re  gonna  say 
that  it  really  was  security  incidents,  we  just 
don’t  know  about  them.  'Two  things:  First, 
that’s  pathetic.  You  sound  like  a  conspiracy 
nut.  Second,  if  it  was  security  problems, 
don’t  you  think  the  CEO  would  have  hung 
the  CSO  out  to  dry?  Do  you  think  they’re 
going  to  materially  misrepresent  facts  that 
are  relevant  to  the  decline  of  the  business 
and  risk  jail  under  Sox?  Heartland  is  still 
here.  TJX  had  their  best  quarters  ever  after 
they  got  hacked. 

Let  me  say  this  clearly:  There  are  very 
real  threats  to  the  existence  of  our  business. 
They  forced  us  to  let  valuable  employees  and 
friends  go.  We  hated  doing  that.  But  when 
we  see  real  threats,  we  respond  and  we  deal 
with  them.  We  are  laser-focused  on  increas¬ 
ing  sales  while  cutting  costs.  You  seem  to  be 
focused  on  other  things,  like  security.  You’re 
not  laser-focused  on  what  matters  to  us,  and 
that’s  OK.  We  can  shake  hands  and  go  our 


separate  ways.  But  throwing  around  ghost 
stories  flips  the  bozo  bit.  And  just  like  you 
and  your  unemployed  CSO  buddies  talk,  so 
do  my  employed  CIO  buddies  and  1.  By  the 
way,  laser  focus  on  your  speciality  is  great 
in  middle  management.  It’s  what  we  want. 
One  of  the  really  hard  things  about  jumping 
from  management  to  executive  is  a  focus  on 
the  whole  of  the  business.  It’s  a  rare  person 
who  manages  it  quickly  or  easily. 


Next  quote: 

“...some  of  which  [tough  new  security 
laws]  carry  severe  penalties... 
including  requirements  of  complete 
public  disclosure  to  all  the  victims...  ” 

Really?  Severe  penalties?  That’s  severe? 
This  may  come  as  a  surprise  to  you,  but 
every  quarter,  the  CEO  signs  a  disclosure 
form  talking  about  how  the  business  is 
doing.  It  discloses  all  sorts  of  things  to  the 
public.  And  the  penalty  for  getting  it  wrong 
isn’t  more  disclosure— that’s  table  stakes. 
The  penalty  for  getting  it  wrong  is  fines 
and  jail  time.  If  you  ask  Joe  what  a  severe 
penalty  is,  he  says  jail  time,  fines  or  consent 
decrees.  Not  disclosure. 

Next  quote: 

“This  is  notan  area  where  businesses 
should  be  doing  more  with  less. 

They  should  be  doing  the  opposite 
to  ensure  their  survival.  ” 

First:  Huh?  We  should  be  doing  less  in 
security?  How  the  [dickens]  is  that  gonna 
stop  these  hackers?  Second,  there  is  no  area 
whatsoever  where  we  didn’t  have  a  serious, 
in-depth  conversation  about  cutting.  These 
random  assertions  that  you  kept  making 
during  the  “small  talk”  part  of  the  inter¬ 
view  were  really  enlightening  about  your 
attitude  and  approach. 

One  final  quote  before  I  wrap: 


“[T]op  information  security 
specialists  have  been  saying 
for  years  that  our  current 
infrastructure  is  at  grave  risk.  ” 

For  the  sake  of  argument.  I’ll  accept  that 
the  folks  saying  that  really  are  top  experts. 
And  you’re  right.  They’ve  been  crying  wolf 
for  years.  No  one’s  used  a  cross-site  script¬ 
ing  attack  to  take  down  the  world  finan¬ 


cial  system.  No  one’s  blown  themselves 
up  in  Twitter’s  headquarters.  That  failure 
to  throw  money  at  security  didn’t  lead  to 
1-35  collapsing.  Millions  of  Americans  lack 
health  care.  Your  unemployment  money  is 
running  out.  So  I’m  just  going  to  assume 
that  you,  and  they,  are  right.  Our  infor¬ 
mation  infrastructure  is  one  of  the  many 
things  we  could  invest  in. 

To  wrap  this  up:  There  are  a  tremen¬ 
dous  number  of  ways  any  business  can 
hire  new  execs.  The  ones  we  bring  on  board 
have  an  ability  to  see  the  forest  and  the  trees. 
They  can  formulate  and  execute  on  strate¬ 
gies  that  impact  the  bottom  line.  They  come 
in  with  proven  records  of  execution  and  the 
metrics  that  show  what  they’ve  done.  We 
think  security  is  important  to  our  business 
and  customers,  and  we  look  forward  to 
finding  someone  who  will  approach  it  in  a 
way  that  resonates  in  the  boardroom.  Until 
we  do,  we’ll  continue  to  promote  engineers 
with  some  management  talent. 

Let  me  leave  you  with  this:  You  guys 
keep  talking  and  talking  about  the  end 
of  the  world.  It  doesn’t  seem  to  come.  As 
executives,  we’re  demanding  evidence  that 
the  money  will  make  a  difference.  What  are 
you  doing  to  get  that  evidence?  ■ 


The  anonymous  CIO  is  not  currently  a  CIO 
but  a  longtime  technology  executive  and  a 
self-described  “troll  living  under  a  bridge.  ” 
Send  feedback  to  Editor  Derek  Slater  at 
dslater@cxo.com. 


You’re  not  laser-focused  on  what  matters  to 
us,  and  that’s  OK.  We  can  shake  hands  and 
go  our  separate  ways.  And  just  like  you  and 
your  unemployed  CSO  buddies  talk,  so  do  my 
employed  CIO  buddies  and  I. 


February  2010  www.csoonline.corn  37 


[  cso  view] 

By  Kerri  GrossUght,  Wells  Fargo 


Building  a  Culture  of  Accountability 


Faced  with  challenging  economic 
times  and  heightened  legisla¬ 
tive  and  regulatory  scrutiny, 
companies  are  increasingly 
compelled  to  keep  risk  manage¬ 
ment  top-of-mind.  Whether  a  company’s 
risk-management  framework  is  centralized, 
decentralized  or  somewhere  in  the  middle, 
what’s  most  important  are  the  people  in  that 
framework— those  who  identify  and  man¬ 
age  risks  every  day.  Only  through  a  culture 
of  accountability,  in  which  it’s  clearly  under¬ 
stood  that  risk  identification  and  manage¬ 
ment  is  everyone’s  responsibility,  can  a 
company  truly  meet  its  risk  management 
and  compliance  commitments  and  deliver 
for  its  customers  and  shareholders. 

As  a  first  step  toward  building  a  cul¬ 
ture  of  accountability,  an  assessment  of 
the  company’s  risk  management  model 
and  framework  is  essential.  Ensure  that 
everyone  knows  who’s  responsible  for 
understanding  and  addressing  risks  in 
each  part  of  the  organization.  From  a  divi¬ 
sional  or  business  line  perspective,  who  is 
responsible  for  executing  against  corporate 
policies  and  understanding  what  the  busi¬ 
ness  needs  to  do  to  adhere  to  the  policies, 
including  performing  training  and  raising 
awareness?  Who  aggregates  and  looks  at 
risk  holistically?  It’s  critical  to  know  these 
things,  because  the  accountability  model 
starts  with  every  employee  understanding 
the  potential  risks  that  cross  his  or  her  desk. 
All  leaders  must  understand  the  risks  of 
the  businesses  for  which  they’re  account¬ 
able  and  risk  professionals  must  support 
employees  and  managers  in  risk  mitigation. 
Beyond  that,  enterprise  oversight  is  crucial 
so  that  risk  from  the  entire  organization  is 
viewed  compositely— this  is  particularly 
important  if  business  groups  are  siloed. 


Next,  CSOs  and  other  personnel  in 
charge  of  risk  activity  need  to  acknowledge 
and  address  potential  blind  spots: 

■  The  familiar  sense  that  “It  can’t  happen 
to  us.”  Bad  things  can  and  do  happen. 

■  Leaders  are  sometimes  reluctant  to 
communicate  their  mistakes.  Open 
communication  should  be  viewed  as 
an  opportunity  to  share  risk  awareness 


and  help  others  avoid  similar  pitfalls. 

■  If  business  groups  are  siloed,  there’s 
often  a  lack  of  transparency  across  seg¬ 
ments  of  the  organization  when  risks 
arise.  An  aggregated,  enterprise-wide 
view  of  risk  trends  and  patterns  is 
necessary,  allowing  business  decision 
makers  to  connect  the  dots  across  the 
company  and  avoid  one-off  solutions. 

■  When  employees  aren’t  clear  about 
an  organization’s  risk  tolerance,  they 
may  get  mixed  messages  around  risk, 
which  can  be  a  real  danger  to  a  culture 
of  accountability.  A  lack  of  clarity  leads 
to  assumptions  that  could  negatively 
impact  business  or  a  tendency  to  take 
on  more  risk  than  is  prudent. 


Next,  companies  need  to  emphasize 
to  managers  at  all  levels  the  importance 
of  modeling  desirable  behaviors.  This 
includes  ensuring  that  those  responsible 
are  helping  employees  identify  and  take 
responsibility  for  the  risks  that  cross  their 
desks.  Leaders  must  remind  employees 
that  there  are  no  penalties  for  pointing  out 
risks— it’s  not  bringing  issues  forward  that 
can  lead  to  damaging  consequences.  Man¬ 
agers  must  demonstrate  how  to  address  the 
risk,  learn  from  it,  put  into  place  the  appro¬ 
priate  action  plans,  and  shore  up  gaps  so 
that  similar  issues  do  not  arise  again. 

Finally,  it  is  critical  to  communicate 
broadly  and  often  to  create  awareness  of 
blind  spots  and  to  help  employees  under¬ 
stand  that  risk  management  is  everyone’s 
responsibility.  Just  talking  about  it  makes  a 
difference.  Encourage  leaders  to  have  criti¬ 
cal  conversations  about  risk  on  an  ongoing 
basis  and  instill  a  mind-set  where  people 
feel  that  their  roles  matter.  Leaders  can  use 
communication  channels  that  employees 
recognize  and  trust,  whether  it’s  e-mail, 
newsletters,  video  clips  or  town  hall  meet¬ 
ings.  Also  remember  that  keeping  teams 
and  business  partners  informed  and  build¬ 
ing  trust  with  them  by  sharing  what  you 
can,  as  soon  as  you  can,  minimizes  poten¬ 
tial  roadblocks  to  success.  It  is  also  critical 
to  offer  forums  in  which  employees  can 
identify  and  share  simple,  everyday  actions 
for  better  risk  management. 

Everyone  has  a  responsibility  for  risk 
management,  and  with  the  right  culture, 
everything  else  falls  into  place.  ■ 


Kerri  GrossUght  is  head  of  risk  management 
and  eompliance  for  the  Technology  and  Opera¬ 
tions  Group,  also  serving  as  group  risk  officer 
for  the  Corporate  Staff  Groups. 


38  www.csoonline.com  February  2010 


MARKETPLACE 


I  surf  X-rated  sifei 
from  behind 
my  cubicle  walls 


I  pass 

company  secrets 
via  the  web 


I  shop  online  | 
all  afternoon 
from  work 


Monitor  Employee  PC  &  Internet  Activity 

Spector  360  is  the  world's  first  monitoring  solution  that  makes  it 
easy  to  detect  inappropriate  employee  behavior.  At  the  touch  of  a 
button,  you  will  see  ALL  PC  &  Internet  activity  for  your  entire 
company  and  find  out  which  employees  are  working,  playing, 
doing  their  job  efficiently  or  putting  your  business  at  risk  by 
engaging  in  illicit  or  illegal  behavior. 

Spector  360  Records  ALL  Your  Employees' 


Spector  360  Dashboard 


Users  Spending  the  Most  Time  Surfing  Web  Sites 


Emails  (Sent  and  Received) 

Chats  &  Instant  Messages 
Keystrokes  Typed 
Web  Sites  Visited 


Files  Saved  to  Removable  Media 
Google  &  Other  Online  Searches 
NetworkTraffic 

and  much  more... 


2  3  4  5  6 

Active  Time  (HOURS) 

Q.  Criteria  j  ElSettings  |  P  Events  Reports  {  » 


CHART  DATA 


Plus,  Spector  360  includes  a  powerful  screen  snapshot  recorder  that 
shows  you  in  exact  visual  detail  what  an  employee  does  every  step 
of  the  way...  think  of  it  as  a  surveillance  camera  for  your  office  PCs. 

Expect  to  See  Immediate  Results 

See  results  within  24  hours  of  installing  Spector  360. . . 
we  guarantee  it!  Don't  just  take  our  word  for  it. 

Try  Spector  360  for  yourself  by  calling  1 ,877.288.5699 
and  requesting  a  FREE  test  drive. 


SPECTOR  360 


Monitoring,  Surveillance  and  Investigation  Software 


More  than  built-in  50  charts  and  reports  allow  you 
to  quickly  and  easily  identify  your  top  achievers, 
productivity  wasters,  and  anyone  engaging  in 
inappropriate  or  potentially  damaging  conduct. 


U  PC  Magazine  Editors'  Choice 


SPECTOR  360 

Mcmitorimj  Si.rveillanterind 
Investigdtion  Software 


"Spector  360  is  the  most  mature 
surveillance  offering  for 
business  use." 


For  more  information,  visit: 

WatchWlth360.com 

or  call  us  anytime 

1 .877.288.5699 


February  2010  www.csoonline.com  39 


•C-'  ^  Maceri'i*:  cdno."'.'  Lr>n:c :  Aw  l  ivy. ,%  .1  rracjf 0;  ff 'Pi  Utfrt  !;•  f'.se 


[  debriefing] 


Google  Versus  Everybody 


1.  What  is  the  name  of 
the  number  one  Chinese- 
language  search  engine? 

a.  Google  c.  Sohu 

b.  Baidu  d.Yahoogle 

2.  ^^Baidu’’  is: 

a.  literally  translated  as  “hundreds  of  times.” 

b.  a  Song  Dynasty  poem  about  the  search  for 
truth  and  beauty. 

c.  a  corporation  registered  in  the  Cayman 
Islands. 

d.  censored  by  the  Chinese  government. 

3.  The  ^^Aurora”  code  used 
in  the  2009  Google  hack  in 
China  was  written  in: 

a.  2009  c.  2007 

b. 2008  d.2006 

4.  After  a  January  attack  on 
Baidu,  the  company  sued 
which  domain  registrar? 

a.  Register.com  c.  Network  Solutions 

b.  GoDaddy.com  d.  DotEasy 


5.  Google’S  January  2010  threat 
to  withdraw  from  China  was: 

a.  a  protest  against  Chinese  government 
censorship. 

b.  a  response  to  the  2009  attack  on  Google 
systems  in  China. 

c.  a  response  to  competitive  pressure  from 
Baidu. 

d.  a  bluff. 

6.  In  January  2010,  an 
executive  at  which  company 
predicted  Google’s  Chrome 
operating  system  will  be  a 
major  hacking  target? 

a.  Google  c.  Microsoft 

b.  McAfee  d.  Diebold 

7.  Which  company  released 
the  first  antivirus  software 
specifically  for  Google’s 
Android  smartphone? 

a.  McAfee  c.  Symantec 

b.  Trend  Micro  d.  Smobile 


8.  The  Associated  Press 
accuses  Google  News  of 
copyright  infringement. 

Google’s  defense  is  based  on: 

a.  the  principles  of  defense  against 
unintentional  tort. 

b. the  Fair  Use  doctrine. 

c.  Miranda  rights. 

d. the  5th  Amendment. 

9.  Which  of  the  following  is  NOT 
a  consideration  in  deciding 
what  constitutes  ^^fair  use”? 

a.  The  purpose  and  character  of  the 
use,  including  whether  such  use  is  of  a 
commercial  nature  or  is  for  nonprofit 
educational  purposes. 

b.  The  desires  of  the  originator  of  the  content. 

c.  The  amount  and  substantiality  of  the 
portion  used  in  relation  to  the  copyrighted 
work  as  a  whole. 

d.  The  effect  of  the  use  upon  the  potential 
market  for  or  value  of  the  copyrighted  work. 


q  '6  !q  '8  !p  'L  iq  *9  UsMOuq  oqM  S  ie  -p  '£  -dAoqe  aq)  p  ||v  Z  -q  I  SUaMSN V 


sbyhoiAf’dyacIo? 


0-3  Correct:  404  4-6  Correct:  Searching  for  a  clue  7-9  Correct:  Smart  enough  to  work  for  Google 


40  www.csoonline.com  February  2010 


Illustration  by  Steve  Traynor 


Two-Factor  Authentication 


[p^sword,  your  account 
ark  Times 


Get  the  strong  two-factor  security  you  need 
to  protect  against  today’s  sophisticated 
threats  without  the  hassle  and  cost  of 
yesterday’s  technology. 


►PhoneFactor 


Easy  to  Setup,  Manage,  and  Use 
Strong  Gut-of-Band  Authentication 
Rapid  Regulatory  Compliance 
Far  Less  Expensive  Than  Tokens 


1.877.NQToken 


www.phonefactor.com 


I  need... 


seamless  access  solutions 
that  are  convenient  and 
cost-effective. 


ivorationize^pnysinuccess^^oT^^^^I^^BBrnnqconwreem 
■  method  to  gain  entry  to  doors.  MirrorlnjtSe  HID  is  n&W 

I  revolutionizing  logical  access.  HID  on  the ©dskto^T^iversdae'-friendly  convenience 
and  improved  risk  management  for  access  to  Wlndcpy^  natwoHcs  by  using  the 
i^me  card  that  opens  your  doors  today. .  '  ! 


Contact  HID  Global  for  a  90-day  trial:  hidglobal.eom/90daytrial1 


